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2.2.  Summary  of  Objectives  and  Accomplishments 

During  this  Phase  1  of  our  research  we  have  directed  our  efforts  towards  identifying  and  for¬ 
mulating  the  key  research  problems  pertaining  to  this  project. 

Main  objectives  and  accomplishments: 

•  Efficient  Bayesian  Approach  for  Recognition  of  Patterns  and  Trends  -  Spatio-temporal  Non¬ 
linear  Filtering.  Our  main  objective  is  to  develop  new  nonlinear  filtering  algorithms  that 
rely  on  both  spatial  and  temporal  information.  Development  of  this  technology  will  pro¬ 
vide  tools  that  can  analyze  simultaneously  large  number  of  targets  or  complicated  evolving 
spatial  patterns  based  on  incomplete  noisy  observations.  The  analysis  and  synthesis  of  high- 
volume  data  and,  in  particular,  spatio-temporal  data  is  addressed  by  different  disciplines  and 
from  different  perspectives.  Our  approach  is  probabilistic  in  nature,  more  specifically  it  is 
Bayesian.  One  important  feature  of  the  Bayesian  approach  is  that  it  interprets  the  data  not 
as  a  self-contained  information  depository  but  in  the  light  of  already  available  knowledge 
(e.g.  human  expertise)  regarding  the  events  reflected  by  the  data.  This  feature  is  an  ideal 
instrument  for  keeping  human  operators  “in  the  loop”  in  the  process  of  automated  decision 
making.  Nonlinear  filtering  (NLF)  is  an  extension  of  the  Bayesian  framework  into  dynamical 
systems.  NLF  is  a  field  on  the  cutting  edge  of  contemporary  stochastic  analysis,  information 
theory,  and  statistical  inference.  This  is  an  emerging  methodology  with  enormous  breadth  of 
applications.  An  important  subset  of  NLF  algorithms  developed  for  Markovian  dynamics  is 
often  referred  to  as  Hidden  Markov  Models  (HMM).  The  outputs  of  a  NLF  are  sequentially 
computed  estimates  (posterior  distributions)  of  the  states  of  evolving  hidden/noisy  patterns. 
Accomplishments  to  date: 

-  In  the  first  phase  of  our  research,  we  have  directed  our  efforts  towards  identifying  the 
approaches  to  nonlinear  filtering  that  are  most  suitable  in  dealing  with  spatial-temporal 
data  sets. 

-  We  have  extended  the  Wiener  Chaos  methodology  to  non-causal  dynamical  and  station¬ 
ary  infinite-dimensional  systems  that  are  modeling  complicated  behavior  of  multiple 
agents. 

•  Multiple  Target  Detection  and  Tracking  from  a  Moving  Platform.  Detecting  and  tracking 
multiple  target  is  a  critical  component  of  video  surveillance,  as  it  provides  the  description  of 
spatio-temporal  relationships  among  moving  objects  in  the  scene  required  by  activity  recog¬ 
nition  modules.  Environments  of  interest  usually  contain  an  unknown  and  varying  number  of 
moving  targets  which  enter  and  exit  the  field  of  view  randomly,  and  might  remain  within  the 
field  of  view  during  the  whole  sequence.  Automatic  detection  and  tracking  of  multiple  tar¬ 
gets  involves  the  detection  of  moving  regions,  the  initialization  of  tracks,  the  association  of 
regions  across  time  and  the  filtering  of  erroneous  detections  or  tracks.  Instead  of  separating 
the  detection  and  tracking  as  two  separate  procedures,  we  propose  a  probabilistic  framework 
for  automatic  detection  and  tracking  of  objects,  which  combines  the  detection  and  tracking 
together.  This  allows  object  detection  to  make  use  of  temporal  consistency  and  facilitates 
robust  tracking  of  the  object.  Moreover,  we  formulate  the  multiple  targets  tracking  as  a  data 


7 


Phase  1  Final  Progress  Report  ARO  MURI  Grant  #  W91  INF-06- 1-0094:  Spatio-Temporal  Nonlinear  Filtering  With  Applications  to  Information  Assurance  and  Counter  Terrorism 


association  problem,  in  which  the  purpose  is  to  find  the  best  association  between  observa¬ 
tions  (i.e.,  detected  moving  regions)  and  targets  while  maximizing  the  posterior  association 
probability. 

•  A  Scalable  Framework  for  Identifying  and  Tracking  Covert  Activities  of  Hostile  Agents.  This 
framework  will  include  a  family  of  algorithms  for  tracking/monitoring  covert  plans  based 
on  noisy  observations,  and  a  theoretical  methodology  for  analyzing  these  algorithms.  We 
use  an  approach  based  on  probabilistic  models  for  tracking  collaborative  plans  based  on 
Hierarchical  Hidden  Markov  Model  and  its  extensions.  These  algorithms  will  be  validated 
on  data  from  the  Hats  simulator,  which  is  a  lightweight  proxy  for  many  intelligence  analysis 
problems. 

•  Pattern  Change  and  Trend  Detection  in  Distributed  Multisensor  Systems  With  Applications 
to  Network  Security  and  Sun’eillance.  The  overarching  goal  of  this  part  of  the  project  is 
to  develop  new  procedures  for  change  detection  in  distributed  multisensor  systems,  and  to 
provide  an  analytical  framework  to  predict  their  performance  in  terms  of  the  tradeoff  be¬ 
tween  detection  delay  and  frequency  of  false  alarms.  To  address  this  goal,  we  propose  to 
analyze  several  generalizations  of  the  change  detection  problem  that  arise  in  the  applications 
to  distributed  sensor  systems.  We  consider  the  configuration  where  the  sensors  communicate 
to  a  common  fusion  center.  The  change  in  the  statistics  of  the  observations  at  the  sensors 
is  governed  by  the  event.  We  investigate  a  variety  of  models  for  the  change  process:  only 
one  (or  a  subset)  of  the  sensors  changes,  they  all  change  at  the  same  time,  or  they  change  at 
different  times.  We  also  include  various  scenarios  for  communication  with  the  fusion  center, 
from  the  centralized  one  where  the  sensors  send  sufficient  statistics,  to  the  decentralized  one 
where  they  send  quantized  observations  or  local  decisions.  We  study  the  role  of  feedback 
from  the  fusion  center,  and  investigate  schemes  for  conserving  energy  at  the  sensors  such  as 
switching  the  sensors  between  on/off  modes  and  censoring  their  observations.  Our  strategy 
for  design  and  analysis  accommodate  general  statistical  models  for  the  observations,  and 
allow  for  different  degrees  of  model  uncertainty.  Specific  objectives  and  accomplishments 
are: 


-  Development  of  an  efficient  Bayesian  approach  for  recognition  of  patterns  and  trends, 
including  joint  nonlinear  filtering  (NLF)  and  hypothesis  testing  methods. 

-  Pattern  change  and  trend  detection  in  distributed  sensor  systems,  in  particular  opti¬ 
mal  adaptive  parametric  and  nonparametric  change -point  detection  procedures  and  in¬ 
formation  integration  and  decision  fusion  in  distributed  heterogeneous  multi-source 
multi-sensor  systems. 

-  Intrusion  detection  and  networking  problems  in  information  assurance  (IA),  in  partic¬ 
ular  implementation  of  advanced  statistical  methods  for  designing  a  scalable  forensic 
Intrusion  Detection  System  (IDS)  and  development  of  an  adaptive  hierarchical  IDS. 

-  Results  include:  (a)  Preliminary  formulation  of  the  problems  in  decentralized  dis¬ 
tributed  sensor  systems,  (b)  Initial  results  on  asymptotically  optimal  and  suboptimal 
change-point  detection  in  distributed  sensor  systems,  (c)  Initial  results  on  distributed 
IDS  design  and  detection  of  computer  intrusions,  (d)  Results  on  target  detection  and 
tracking  in  heavy  clutter. 
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•  Energy-Efficient  Tracking  in  Sensor  Networks.  We  study  the  problem  of  tracking  an  object 
that  is  moving  randomly  through  a  dense  network  of  wireless  sensors.  We  assume  that  each 
sensor  has  a  limited  range  for  detecting  the  presence  of  the  object,  and  that  the  network  is 
sufficiently  dense  so  that  the  sensors  cover  the  area  of  interest.  In  order  to  conserve  energy 
the  sensors  may  be  put  into  a  sleep  mode  with  a  timer  that  determines  the  sleep  duration. 
We  assume  that  a  sensor  that  is  asleep  cannot  be  communicated  with  or  woken  up.  Thus 
the  sleep  duration  needs  to  be  determined  at  the  time  the  sensor  goes  to  sleep  based  on  all 
the  information  available  to  the  sensor.  The  objective  is  to  track  the  location  of  the  object 
to  within  the  accuracy  of  the  range  of  the  sensor.  However,  having  sleeping  sensors  in  the 
network  could  result  in  tracking  errors,  and  hence  there  is  a  tradeoff  between  the  energy 
savings  and  the  tracking  errors  that  result  from  the  sleeping  actions  at  the  sensors.  We 
consider  the  design  of  sleeping  policies  that  optimize  this  tradeoff. 

•  Spatio-Temporal  Image  Segmentation  and  Video  Tracking  Using  Logical  Models.  We  de¬ 
signed  and  built  a  second  generation  robotics  testbed  with  onboard  computing  and  onboard 
sensing.  The  developed  algorithm  for  tracking  under  partial  occlusions  utilizes  Logic  Mod¬ 
els  with  the  addition  of  prior  shape  information.  We  represent  object  motion  as  a  registration 
between  frames.  We  can  track  successfully  as  long  as  the  object  of  interest  maintains  nearly 
constant  shape  and  intensity  throughout  the  sequence,  and  does  not  become  totally  occluded. 

•  Cooperative  Control  Algorithms  for  UCLA  Multivehicle  Wireless  Testbed.  We  develop  infor¬ 
mation  fusion  algorithms  for  agile  or  mobile  sensors  with  improved  performance  by  linking 
current  deterministic  methods  with  stochastic  NLF/HMM  and  change-point  detection  ap¬ 
proaches. 

•  Models  for  Spatio-Temporal  Dynamics  of  Criminal  Behavior.  Real-time  integration  of  in¬ 
formation  from  the  variety  of  surveillance  and  sensor  platforms.  Multiple  system  platforms 
include  video-surveillance,  distributed  environmental  sensing,  and  event  recognition  and  pat¬ 
terns  from  law  enforcement  agencies. 

•  Spectral  Analysis  Techniques  for  Real-time  Generation  of  Signatures  of  Computer  Network 
Attacks.  This  objective  targets  development  of  novel  Spectral  Analysis  Techniques  to  gener¬ 
ate  signatures  of  attacks  that  cannot  be  detected  with  current  IDSs.  These  include  encrypted 
attacks,  low  level  attacks  and  attacks  through  proxies.  An  encrypted  attack  is  an  attack  where 
the  packet  stream  is  encrypted  and  the  IDS  cannot  read  the  application  headers  or  payload.  A 
low-level  attack  is  one  where  rather  than  use  relatively  few  zombies  attacking  at  full  speed, 
many  more  zombies  are  used,  each  attacking  with  just  a  few  packets  per  second  in  order  to 
stay  below  the  IDS  threshold  of  an  attack.  Finally,  an  attack  through  a  proxy  is  one  where 
malicious  and  legitimate  packets  through  a  proxy  become  indistinguishable  to  an  IDS  and 
the  only  way  to  stop  the  attack  is  to  filter  all  packets  through  the  proxy.  We  have  preliminary 
work  showing  that  we  can  create  spectral  signatures  of  DDoS  attacks  that  can  be  used  to 
detect  repeated  instances  of  such  attacks.  These  signatures  have  been  validated  with  real 
attack  traces.  Specific  accomplishments: 

-  We  have  defined  methodology  to  create  attack  signatures 

-  The  signatures  have  been  validated  with  real  attack  traces 
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-  We  carried  sensitivity  analysis  varying  the  underlying  OS,  packet  size  and  number  of 
attackers 

The  following  tasks  planned  in  the  proposal  have  been  addressed  during  this  Phase  1  effort: 
Task  1:  Development  of  an  efficient  Bayesian  approach  for  recognition  of  patterns  and  trends 
Task  2a:  Motion  detection  from  a  moving  platform 
Task  2b:  Multiple  target  tracking 

Task  3a:  Developing  prototype  scenarios  for  a  moderate  number  of  agents  in  the  Hats  domain 

Task  3b:  Building  simple  probabilistic  models  for  tracking  plans  and  intentions  in  those  sce¬ 
narios 

Task  3c:  Improving  the  Hats  Simulator  to  handle  scenarios  with  as  many  as  106  agents 
Task  4a:  Development  of  new  spatio-temporal  segmentation  and  video  tracking  algorithms 

Task  5a:  Development  of  optimal  adaptive  parametric  and  nonparametric  change-point  detec¬ 
tion  (CPD)  procedures 

Task  5b:  Development  of  CPD  algorithms  for  the  general  pattern  change  process 
Task  5c:  Energy  efficient  sensing  ( detection  and  tracking ) 

Task  6a:  Real-time  integration  of  information  from  the  variety  of  surveillance  and  sensor  plat¬ 
forms 

Task  6b:  Algorithmic  development  for  agile  sensors 

Task  7a:  Attack  signature  definition 

Task  7b:  Attack  signature  validation  with  real-life  attacks 

Task  7c:  Implement  advanced  statistical  methods  such  as  NLF,  stochastic  data  fusion,  and  se¬ 
quential  change-point  detection  to  design  a  scalable  forensic  IDS  with  improved  capabili¬ 
ties  in  ultrahigh  speed  networks 

3.  RESEARCH  SIGNIFICANCE  AND  SCIENTIFIC  BARRIERS 

3.1.  Significance 

3.1.1.  Spatio-Temporal  Nonlinear  Filtering.  So  far  NLF  /HMM  techniques  have  focused  mostly 
on  state  variable  of  small  dimensionality  with  point- wise  measurements,  and  henceforth  discarded 
the  spatial  component  of  the  information  while  focusing  on  its  dynamic.  We  plan  developing  and 
testing  new  nonlinear  techniques  that  rely  on  both  spatial  and  temporal  properties.  Development 
of  this  technology  will  provide  tools  that  can  analyze  simultaneously  large  number  of  targets  or 
complicated  evolving  spatial  patterns  based  on  incomplete  noisy  observations.  In  particular  we 
will  derive  Zakai  and  Kushner  equations  for  spatio-temporal  random  fields  and  develop  numerical 
methods  for  their  solution. 
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The  main  difficulty  in  practical  implementation  of  spatio-temporal  NLF  is  the  computational 
complexity.  It  grows  dramatically  with  the  introduction  of  spatial  component.  We  will  rely  on  se¬ 
quential  Markov  Chain  Monte  Carlo  (MCMC)  methodology  (for  particle  filters)  complimented  by 
interacting  multiple  models  for  the  state  dynamics.  The  latter  technique  allows  for  very  substan¬ 
tial  reduction  of  the  (effective)  dimension.  To  accelerate  the  MC  we  will  use  preliminary  filtering 
based  on  the  Wiener  Chaos  Expansion.  This  approach  allows  one  to  speed-up  the  algorithm  by 
shifting  offline  the  time  consuming  operations  related  to  the  prediction  steps.  In  addition,  we  will 
develop  versions  of  Kushner  and  Zakai  equations  for  infinite-dimensional  systems. 

3.1.2.  A  Multitarget  Tracking  Concept  for  Distributed  Targets  With  Unknown  Shapes.  Multiple 
target  detection  and  tracking  is  a  fundamental  problem  in  video  surveillance,  as  it  provides  the 
description  of  spatio-temporal  relationships  among  moving  objects  in  the  scene.  This  information 
is  acquired  by  many  other  surveillance  modules,  e.g.,  activity  recognition. 

3.1.3.  Tracking  Algorithms  in  Symbolic  Spaces  and  Hats  Simulator.  The  ability  to  automatically 
monitor  and  infer  adversary  plans/intentions  is  of  great  importance  for  many  applications  related 
to  the  national  security.  Existing  approaches  are  severely  limited  in  scale  (e.g.,  tracking  single 
agent  plans),  and  use  overly  simplified  models  of  hostile  agent  behavior  (e.g.,  no  active  deception). 
Our  research  aims  to  overcome  those  limitations,  and  develop  scalable  algorithms  that  will  be  of 
practical  use  to  intelligence  analysis  community. 

3.1.4.  Pattern  Change  and  Trend  Detection  in  Distributed  Multisensor  Systems  With  Applica¬ 
tions  to  Network  Security  and  Surveillance.  Decentralized  decision  making  problems  are  known 
to  be  difficult.  Without  certain  conditional  independence  assumptions  across  sensors,  the  prob¬ 
lem  of  finding  the  optimal  solutions,  even  in  the  simplest  case  of  static  binary  hypothesis  testing, 
is  computationally  intractable.  Decentralized  dynamic  decision  making  problems,  of  which  the 
change  detection  problem  is  a  special  case,  are  even  more  challenging  since  they  fall  into  the  class 
of  “Witsenhausen  problems”  with  non-classical  information  patterns.  Pattern  change  and  trend 
detection  in  distributed  sensor  networks  requires  a  non-trivial  extension  of  optimal  hypothesis  test¬ 
ing,  change  detection,  and  nonlinear  filtering  to  distributed  decentralized  systems/scenarios,  and 
implementation  to  IA  and  surveillance. 

3.1.5.  Energy-Efficient  Tracking  in  Sensor  Networks.  Advances  in  technology  are  enabling  the 
deployment  of  vast  sensor  networks  through  the  mass  production  of  cheap  wireless  sensor  units 
with  small  batteries.  Such  sensor  networks  can  be  used  in  a  variety  of  application  areas.  Our 
focus  in  this  part  of  the  project  is  on  applications  of  sensor  networks  that  involve  tracking.  The 
sensor  nodes  typically  need  to  operate  on  limited  energy  budgets.  In  order  to  conserve  energy,  the 
sensors  may  be  put  into  a  sleep  mode.  It  is  clear  that  the  performance  of  the  sensor  network  could 
degrade  due  to  having  sleepy  sensors  and  therefore  any  sleeping  policy  trades  off  performance  with 
energy  savings.  Such  sleeping  is  usually  effective  only  if  the  sensor  is  completely  turned  off  in  the 
sleep  mode,  i.e.,  a  sensor  that  is  asleep  cannot  be  communicated  with  or  woken  up  prematurely. 
A  natural  way  to  implement  the  sleeping  in  this  setting  is  to  have  the  sensor  enter  and  exit  the 
sleep  mode  using  a  fixed  or  random  duty  cycle.  We  are  pursuing  an  alternative  smart  approach  to 
sleeping  that  uses  all  available  information  about  the  state  of  the  network  to  set  the  sleep  times  of 
the  sensors.  We  have  shown  through  some  simple  tracking  examples  that  the  smart  approach  can 
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yield  significant  improvements  over  the  duty  cycle  approach  in  the  tradeoff  between  performance 
and  energy  savings. 

3.1.6.  Information  Integration  and  Fusion  in  Distributed  Heterogeneous  Multisource  Multisen¬ 
sor  Systems.  The  research  has  significance  to  design  of  mobile  sensor  networks,  design  of  video 
tracking  algorithms  for  objects  with  occlusions,  and  spatio-temporal  crime  patterns  with  potential 
application  to  terrorist  cells. 

3.1.7.  Intrusion  Detection  and  Networking  Problems  in  IA.  Intrusion  detection  and  network  at¬ 
tacks  form  a  cat  and  mouse  game  where  attackers  will  always  devise  new  ways  to  evade  current 
defenses.  It  is  thus  important  to  try  to  stay  ahead  of  the  curve.  While  the  number  of  encrypted, 
low-level  and  proxy  attacks  seen  in  the  wild  is  not  yet  large,  indications  are  that  they  will  get  larger 
soon.  For  example,  low-level  attacks  are  easily  done  today  because  the  average  size  of  a  botnet  has 
increased,  with  some  reaching  in  the  millions;  several  P2P  applications  have  already  started  using 
encryption  to  evade  rate  limiting;  and  proxies  are  prevalent  in  the  Internet  today.  Clearly,  we  need 
to  investigate  new  methods  of  creating  attack  signatures  that  are  robust  to  emerging  attacks.  Spec¬ 
tral  signatures  are  very  promising  in  this  direction.  Furthermore,  a  hybrid  approach  that  combines 
spectral  signatures  and  statistical  change  detection  in  one  unit  is  extremely  promising,  since  this 
approach  allows  not  only  for  rapid  attach  detection  but  also  for  an  additional  false  alarm  filtering. 

3.2.  Scientific  Barriers 

3.2.1.  Spatio-Temporal  Nonlinear  Filtering.  Current  methodology  of  pattern  recognition  in  mon¬ 
itoring  and  surveillance,  including  network  monitoring,  geared  towards  recognizing  stationary  pat¬ 
terns  is  not  well  adapted  for  coping  with  detecting  emerging  patterns  in  ever-changing  environ¬ 
ment.  The  patterns  of  interest  are  often  spatio-temporal  and  non-stationary,  requiring  the  develop¬ 
ment  of  new  methodology  allowing  learning  new  trends,  as  well  as  recognizing  unusual  patterns 
of  activity  from  a  heterogeneous  data  set. 

3.2.2.  Tracking  Distributed  Targets  With  Unknown  Shapes.  Most  existing  multiple  target  track¬ 
ing  methods  consider  a  one-to-one  mapping  between  targets  and  detected  regions,  which  assume 
that  at  a  given  time  instant  one  observation  can  be  associated  with  at  most  one  target  and  vice  versa: 
one  target  correspond  to  at  most  one  observation.  This  assumption  is  reasonable  when  the  consid¬ 
ered  observations  are  punctual,  however  in  video  tracking  problem,  the  observations  correspond 
to  blobs  or  meaningful  regions  which  cannot  be  modeled  faithfully  by  a  single  point.  Moreover, 
erroneous  detections  due  to  occlusion,  spurious  motion  segmentation,  or  parallax,  provide  a  set  of 
observations  where  often  a  single  moving  object  is  detected  as  multiple  moving  regions,  or  multi¬ 
ple  moving  regions  are  merged  into  a  single  blob.  The  one-to-one  association  is  usually  violated 
in  real  environments.  The  spatio-temporal  segmentation  of  objects  trajectories  relies  on  the  aggre¬ 
gation  of  hypothesis  in  time  and  space  for  inferring  the  path  of  each  moving  object  in  the  scene. 
The  numerical  complexity  of  the  association  scheme  is  therefore  substantially  large.  To  solve  this 
combinatorial  optimization  problem,  a  Markov  Chain  Monte  Carlo  (MCMC)  method  is  proposed 
to  sample  the  solution  space. 

3.2.3.  Tracking  in  Symbolic  Spaces  and  Hats  Simulator.  There  are  three  challenges  that  we  ad¬ 
dress  below. 
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A.  Tracking  Collaborative  Plans.  Most  of  the  existing  work  on  plan-recognition  deals  with 
single  agent  scenarios.  In  real  world  situation,  malicious  plans,  such  as  terrorist  attacks,  are  often 
executed  by  teams  of  hostile  agents.  Hence,  successful  algorithms  have  to  take  into  account  possi¬ 
ble  correlations  between  actions  of  various  agents,  and  hypothesize  about  possible  teams  of  agents 
that  might  be  involved  in  hostile  activities.  This  makes  the  detection  problem  much  more  complex. 

B.  Modeling  Deceptive  Behavior.  Deception  is  a  crucial  ingredient  of  any  covert  activity.  An 
important  (and  required)  element  of  a  deceptive  behavior  is  to  hide  certain  actions  from  an  ob¬ 
server.  There  are,  however,  much  more  sophisticated  forms  of  deception  (e.g.,  fake  build-ups  and 
numerous  “invasions”  by  the  allied  forces  that  proceeded  the  D-day).  Existing  research  in  plan 
recognition  has  not  adequately  addressed  this  type  of  active  deception.  To  account  for  this,  we  will 
need  to  develop  a  formal  theory  of  deception  that  will  allow,  among  other  things,  to  characterize 
various  forms  of  deception,  and  provide  computational  models  of  deceptive  behavior. 

C.  Scalability.  Even  in  single  agent  plan  recognition,  the  complexity  of  tracking  algorithms  can 
be  an  important  issue  if  the  covert  agents  are  embedded  in  a  large  benign  population.  Considering 
collaborative  plans  adds  another  dimension  to  the  problem  complexity,  as  the  number  of  hypothesis 
about  possible  covert  taskforce  grows  exponentially  with  team  size. 

3.2.4.  Change  and  Trend  Detection  in  Distributed  Multisensor  Networks.  Distributed  decentral¬ 
ized  decision-making  problems  (hypothesis  testing,  estimation,  and  joint  testing-estimation)  are 
extremely  non-trivial  even  when  centralized  solutions  are  available.  Optimal  solutions  are  barely 
tractable,  and  the  major  goal  here  is  obtaining  asymptotically  optimal  or  suboptimal  solutions, 
e.g.,  a  globally  asymptotically  optimal  solution  to  a  change-point  detection  problem,  which  is  a 
dynamic  decision  making  problem. 

3.2.5.  Designing  Energy-Efficient  Tracking  Policies.  Designing  sleeping  policies  for  energy- 
efficient  tracking  involves  solving  a  stochastic  control  problem  (on  a  potentially  large  state  space) 
jointly  with  the  nonlinear  filtering  problem  that  naturally  arises  in  tracking.  The  state-space  for 
the  control  problem  grows  exponentially  with  the  number  of  sensors,  and  so  optimal  approaches 
via  dynamic  programming  (DP)  are  intractable  for  more  than  a  few  sensors.  Fortunately  we  have 
been  able  to  design  provably  good  suboptimal  policies  with  linear  complexity  in  the  number  of 
sensors  for  a  simple  sensing  and  object  movement  model.  There  are  several  challenges  that  remain 
to  be  addressed  including:  more  realistic  sensing  models,  more  realistic  object  movement  models, 
partially  known  or  unknown  statistics  for  object  movement,  decentralized  implementation  across 
sensors,  and  tracking  multiple  objects  simultaneously. 

3.2.6.  Information  Integration  in  Distributed  Heterogeneous  Multisource  Multisensor  Systems. 
The  challenges  faced  by  the  team  included  the  hardware  design  of  a  platform  with  micro-sized 
vehicles  to  process  data  and  information  in  real  time.  Also  we  considered  video  footage  in  which 
an  object  of  interest  goes  behind  an  occlusion  and  must  continue  to  be  tracked.  Finally  we  built 
models  for  crime  data  from  scratch  based  on  individual  movement  of  criminals  and  likelihood  of 
them  breaking  into  a  location  due  to  previous  history  of  that  location. 

3.2.7.  Intrusion  Detection  and  Networking  Problems  in  IA.  Three  aspects  have  to  be  empha¬ 
sized: 
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A.  Real  Data  Collection  -  LANDER.  Up  to  this  point  there  were  no  real  attack  data  sets  avail¬ 
able  to  test  and  validate  our  detection  algorithms.  Recently  this  has  changed  with  the  creation  of 
LANDER  (Los  Angeles  Network  Data  Exchange  and  Repository),  a  DHS-funded  effort  to  collect 
and  distribute  real  attack  data  sets.  LANDER  is  based  at  USC  and  we  have  full  access  to  all  data  in 
the  repository.  In  addition  to  collecting  data  from  the  regional  ISP  serving  USC  and  other  educa¬ 
tional  and  commercial  institutions,  LANDER  has  recently  installed  a  capture  point  at  a  commercial 
web-hosting  service  that  routinely  gets  attacked  on  a  daily  basis.  We  expect  that  with  LANDER 
we  will  solve  the  problem  of  access  to  real-world  attack  data. 

B.  Real-time  Spectral  Signature  Generation.  The  other  challenge  is  adapting  standard  signal 
processing  techniques  to  time  series  generated  from  network  traffic.  The  challenges  there  include 
using  the  right  variables  to  track  in  a  time  series,  the  right  resolution,  etc. 

C.  Hybrid  Anomaly-Signature  IDS.  False  alarm  rate  (FAR)  of  anomaly-based  detectors  with 
hard  decisions  may  be  improved  by  analyzing  more  detailed  patterns  in  traffic  statistics,  i.e.,  sig¬ 
natures.  Therefore,  combining  spectral  signature  approach  and  corresponding  signal  processing 
techniques  with  anomaly  change  detection  based  techniques  seems  to  be  beneficial.  This  approach 
is  complementary  to  the  anomaly-based  and  signature-based  IDSs  and  allows  for  profiling,  i.e., 
confirmation  or  rejection  of  detection  decisions  at  the  output  of  the  anomaly  detector  using  signa¬ 
ture  analysis.  Combining  these  two  methods  into  a  hybrid  IDS  is  not  a  trivial  task. 


4.  TECHNICAL  APPROACH  AND  MAIN  RESULTS  OF  THE  PHASE  1 
EFFORT 

4.1.  Efficient  Bayesian  Approach  for  Recognition  of  Patterns  and  Trends  —  Spatio-Temporal 
Nonlinear  Filtering 

The  analysis  and  synthesis  of  high- volume  data  and  in  particular  spatio-temporal  data  is  ad¬ 
dressed  by  different  disciplines  and  from  different  perspectives.  Our  approach  is  probabilistic  in 
nature,  more  specifically  it  is  Bayesian.  One  important  feature  of  the  Bayesian  approach  is  that  it 
interprets  the  data  not  as  a  self-contained  information  depository  but  in  the  light  of  already  avail¬ 
able  knowledge  (e.g.,  human  expertise)  regarding  the  events  reflected  by  the  data.  This  feature  is 
an  ideal  instrument  for  keeping  human  operators  “in  the  loop”  in  the  process  of  automated  decision 
making. 

Nonlinear  filtering  (NLF)  is  an  extension  of  the  Bayesian  framework  into  dynamical  systems. 
Kalman  filter  designed  for  linear  dynamical  systems  and  linearly  structured  observations  is  prob¬ 
ably  the  most  famous  Bayesian  filter.  Its  generalizations  to  nonlinear  systems  and/or  observations 
is  usually  referred  to  as  optimal  nonlinear  filtering  (ONLF)  for  hidden  Markov  models  (HMM). 
ONLF  is  a  field  on  the  cutting  edge  of  contemporary  stochastic  analysis,  information  theory,  and 
statistical  inference.  This  is  an  emerging  methodology  with  enormous  breadth  of  applications. 

So  far  NLF/HMM  applications  have  focused  mostly  on  state  processes  of  small  to  medium 
complexity  insufficient  for  the  applications  of  interest  for  this  project.  One  of  the  main  objectives  of 
this  project  is  development  of  spatio-temporal  NLF  algorithms  and  their  DoD  relevant  applications. 
Certain  progress  in  this  direction  has  been  made  during  the  current  stage  of  the  grant.  This  progress 
is  outlined  below. 
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To  address  tracking  objects  in  distributed  data/images  we  have  derived  a  preliminary  version 
of  Zakai  and  Kushner  equations  for  spatial-temporal  observation  process  with  continuous  and  dis¬ 
crete  observations.  In  particular,  we  have  derived  the  analogs  of  Zakai  and  Kushner  equations  of 
nonlinear  filtering  in  this  setting. 

Applications  to  tracking  multiple  agents/plans  (see  Section  4.3)  requires  development  of  non¬ 
linear  filtering  methods  for  telescoping  Markov  processes.  The  simplest  example  of  this  type  of 
processes  is  referred  to  as  interacting  multiple  models  (IMM).  Our  recent  results  allow  for  extend¬ 
ing  this  methodology  to  very  complicated  systems.  Partial  testing  of  the  obtained  algorithm  was 
performed  on  simple  “Hats”  models. 

One  of  the  very  difficult  problems  of  nonlinear  filtering  is  related  to  estimation  of  processes  re¬ 
lated  to  uncertainty  of  the  observation.  This  is  often  modeled  as  a  process  controlling  the  intensity 
of  the  noise  in  observations.  We  have  proposed  and  developed  an  NLF  algorithm  for  this  setting 
with  observations  obtained  at  random  times.  The  results  turned  out  to  be  very  promising.  They 
were  applied  to  tracking  volatility  (see  papers  [9]  and  [10]).  A  similar  algorithm  for  tracking  the 
level  of  hostile  “chatter”  on  the  Internet  is  under  consideration. 

4.2.  Video  Tracking  Multiple  Distributed  Targets  From  a  Moving  Platform 

The  overview  framework  of  detection  and  tracking  multiple  target  from  a  moving  platform  is 
shown  in  Figure  1 . 

4.2.1.  Image  Registration  and  Adaptive  Background  Modeling.  The  main  difference  between 
the  detection  of  moving  objects  from  a  stationary  and  moving  camera  is  the  characterization  of 
the  background  model.  In  a  stationary  camera,  variations  in  the  image  sequence  are  modeled 
at  the  pixel  level  and  allow  defining  a  background  model  for  each  pixel  using  statistical-based 
techniques.  This  concept  can  be  extended  to  non- stationary  cameras  by  compensating  for  the 
camera  motion  prior  to  the  estimation  of  the  background  model.  Registering  the  current  frame  to 
the  selected  reference  is  performed  by  concatenating  the  estimated  pair-wise  transforms,  shown  in 
Figure  2.  We  propose  to  establish  the  background  modeling  within  a  sliding  window  to  reduce  the 
accumulated  registration  error. 

4.2.2.  Boosted  MCMC  Data  Association  for  Multiple  Target  Tracking.  We  formulate  the  mul¬ 
tiple  targets  tracking  as  an  association  problem,  in  which  the  purpose  is  to  find  the  best  spatio- 
temporal  association  (shown  in  Figure  3)  between  observations  (i.e.,  detected  moving  regions)  and 
targets  while  maximizing  the  posterior  association  probability.  This  spatio-temporal  association 
method  which  does  not  require  the  one-to-one  mapping  between  observations  and  targets.  We  rep¬ 
resent  the  association  problem  in  a  deferred  logic  way  where  association  is  defined  between  targets 
and  a  set  of  latest  observations  within  a  sliding  window.  This  allows  the  association  decision  to 
be  made  when  enough  observations  are  available.  As  the  size  of  sliding  window  grows,  the  scale 
of  the  problem  grows  exponentially.  To  avoid  the  enumeration  of  all  possible  association  hypothe¬ 
sis  and  to  solve  this  combinatorial  optimization  problem  efficiently,  we  propose  an  Markov  Chain 
Monte  Carlo  (MCMC)  [13]  method  to  sample  the  solution  space.  Instead  of  separating  the  de¬ 
tection  and  tracking  as  two  separate  procedures,  each  preliminary  detection  derived  by  the  motion 
segmentation  is  assigned  a  model  likelihood  provided  by  a  real- valued  Adaboost  classifier  trained 
offline.  The  MCMC  sampling  is  driven  by  an  informed  proposal  scheme  controlled  by  a  joint 
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Figure  1 :  The  framework  of  multiple  target  detection  and  tracking  from  a  moving  platform 


Figure  2:  Adaptive  background  modeling 


Frame  345  Frame  350  Frame  355 

Figure  3:  Spatio-temporal  association  tracking 
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probability  model  combining  motion,  appearance  and  model  likelihood  among  detected  regions. 
We  test  our  detection  and  tracking  framework  on  videos  captured  by  moving  platform  such  as 
Unmanned  Aerial  Vehicles  (UAV). 

4.3.  Probabilistic  Tracking  and  Detecting  Hostile  activities  in  Hats 

Our  probabilistic  framework  will  be  designed  to  detect  and  track  hostile  plans  and  intentions 
in  a  virtual  society  of  agents.  We  assume  that  most  of  the  agents  are  engaged  in  benign  activities, 
while  a  small  number  have  malicious  intent.  Some  specific  research  questions  in  this  regard  are: 

•  How  does  the  detection  accuracy  depend  on  the  difference  between  benign  and  covert  be¬ 
havior? 

•  How  much  data  does  one  need  for  detecting  malicious  intent? 

•  What  kind  of  error  rates  should  one  expect? 

The  main  goal  of  the  proposed  research  is  to  obtain  quantitative  answers  to  those  questions, 
and  use  the  insights  from  the  analysis  to  develop  efficient  and  scalable  probabilistic  algorithms  for 
detection  and  tracking  in  symbolic  space  of  plans  and  intentions. 

4.3.1.  The  Probabilistic  Framework:  Model  and  Inference.  The  theoretical  foundation  of  our 
tracking  model  is  provided  by  an  Abstract  Hidden  Markov  Model  (AHMM)  [5])  that  uses  a  Dy¬ 
namic  Bayesian  Network  representation  of  the  plan  hierarchy.  There  is  a  set  of  possible  states  S 
which  is  called  the  state  space.  At  each  state  5,  an  agent  has  a  set  of  actions  A  available,  where  each 
action  a,  if  employed,  will  cause  the  system  to  move  to  the  next  state  s'  via  a  transition  probability 
cra(s,  s').  An  agent’s  plan  of  action  is  modeled  as  a  policy  that  determines  which  action  the  agent 
will  choose  at  each  state.  For  a  policy  ir,  this  is  modeled  by  a  selection  function  an  :  SxA  — >  [0,1], 
where  at  each  state  s,  an(s,a)  is  the  probability  that  the  agent  will  choose  the  action  a.  Thus, 
for  a  fixed  policy  ir,  the  resulting  state  sequence  is  a  Markov  chain  with  transition  probabilities 
Pr(s’\s)  =  ^2a  crn(s ,  a)oa(s ,  s').  Hence  a  policy  can  also  be  viewed  as  a  Markov  chain  through 
the  state  space.  A  policy  hierarchy  is  defined  as  a  sequence  H  =  (n0,  Hi, ... ,  n^)  where  K  is 
the  number  of  levels  in  the  hierarchy,  n0  is  a  set  of  primitive  actions,  and  for  A;  =  1, ...  ,K,  II/, 
is  a  set  of  policies  over  the  policies  in  nfc_!.  When  a  top-level  policy  nK  is  executed,  it  invokes  a 
sequence  of  level-(/l  —  1)  policies,  each  of  which  invokes  a  sequence  of  level-(/l  —  2)  policies, 
and  so  on.  A  level-1  policy  will  invoke  a  sequence  of  primitive  actions  which  leads  to  a  sequence 
of  states. 

We  will  then  adopt  the  multi-agent  extension  of  this  method  devised  by  [22]  known  as  Hier¬ 
archical  Multiagent  Markov  Processes  (HMMP),  which  assumes  that  the  agents  coordinate  their 
actions  at  more  abstract  levels  by  explicitly  using  a  central  controller,  but  at  lower  levels,  individ¬ 
ual  policies  are  executed  without  coordination  by  each  agent.  This  will  help  us  build  a  framework 
for  tracking  subsets  of  agents  together,  thus  leading  to  the  detection  of  potential  task  forces  for  a 
harmful  event. 

In  the  framework  of  AHMM,  it  is  assumed  that  a  policy  hierarchy  is  given,  however,  the  top 
level  policy  and  the  details  of  its  execution  are  unknown.  The  problem  is  to  determine  the  top  level 
policy  and  other  current  policies  at  the  lower  levels  given  the  current  sequence  of  observations.  In 
other  words,  we  are  interested  in  estimating  the  conditional  probability  Pr(7rf , . . . ,  7r°|ot_i),  and 
the  marginals  Pr(7qfc  |o*_i),  for  all  levels  k.  This  is  done  by  updating  the  belief  state  Pr(7rf+I ,  ot+i\ot) 
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at  each  state  using  the  posterior  after  absorbing  the  observation  ot+ 1  at  time  t  + 1.  Computing  these 
probabilities  gives  us  the  information  about  the  current  policies  at  all  levels  of  abstraction,  from 
the  current  action  ( k  =  0)  to  the  top  level  policy  ( k  =  K),  taking  into  account  all  the  observations 
that  we  have  up  to  date.  Computing  these  probabilities  is  generally  intractable  unless  the  belief 
state  has  an  efficient  representation  that  affords  a  closed-form  update  procedure.  Without  any 
structure  imposed  on  the  belief  state,  the  complexity  for  updating  it  is  exponential  in  K .  To  cope 
with  this  complexity,  a  hybrid  inference  scheme  based  on  Rao-Blacwellized  Sequential  Importance 
Sampling  (RB-SIS;  [5])  is  used,  which  combines  both  approximation  and  tractable  exact  inference 
for  efficiency. 

4.3.2.  The  Hats  Domain.  The  Hats  Simulator  [8]  is  designed  to  be  a  lightweight  proxy  for  many 
intelligence  analysis  problems,  and  thus  as  a  test  environment  for  analysts’  tools.  It  is  a  virtual 
world  in  which  millions  of  agents  engage  in  individual  and  collective  activities.  Most  are  benign 
and  a  small  fraction  of  them  intend  harm,  and  each  hat  belongs  to  one  or  more  organizations 
(benign  and  terrorist).  The  activities  are  planned  by  a  generative  planner  and  the  job  of  the  analyst 
is  to  find  harmful  agents  before  they  can  attack  certain  landmarks  referred  to  as  beacons.  The 
beacons  have  known  vulnerabilities  that  must  be  acquired  by  the  task  force  (TF)  in  order  to  be  able 
to  destroy  it.  First,  the  planner  chooses  a  target  beacon  for  the  attack,  followed  by  the  choice  of  a 
TF,  and  then  assigns  roles  to  TF  members,  i.e.,  each  member  is  assigned  a  certain  capability  that 
will  be  transported  to  the  beacon  at  the  final  stage  of  the  attack.  Once  these  assignments  are  made, 
the  planner  generates  a  meeting  schedule  for  each  TF  member,  so  that  on  completion  of  these 
meetings,  each  TF  carries  the  assigned  capability.  Finally,  the  TF  is  moved  to  the  beacon  location 
for  the  final  meeting  or  the  attack.  A  simple  Hierarchical  Task  Network  (HTN)  representing  the 


Figure  4:  The  HTN  representation  of  a  terrorist  attack  planning  in  HATS 

HATS  scenario  is  depicted  in  Figure  4.  Note  that,  during  plan  execution,  only  the  last  step  produces 
actual  observations  (highlighted  nodes  in  Figure  4)  in  the  form  of  meetings,  while  the  choice 
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of  the  target,  the  TF,  role  assignment  and  the  capability  trades  are  all  hidden  from  the  analyst. 
However,  the  simulator  maintains  information  about  all  the  agents  that  may  be  acquired  through 
an  information  broker  by  paying  a  certain  “fee”. 

4.3.3.  The  AHMM  Formulation  in  HATS.  In  the  HATS  domain,  each  policy  in  the  plan  hierarchy 
is  represented  by  a  node  in  Figure  4.  The  meetings  between  the  hats  are  the  observable  actions  used 
to  update  the  beliefs  about  whether  a  particular  hat  possesses  the  required  capabilities  needed  to 
attack  the  beacon  at  each  time  point.  So  far,  we  have  developed  a  simple  set  of  update  rules 
based  on  the  meeting  trees  of  each  agent  that  are  executed  independently  (since  TF  members 
meet  only  at  the  final  meeting).  The  single-agent  policies  therefore  comprise  of  a  hat  acquiring 
a  set  of  capabilities  with  the  trades  having  a  strict  temporal  ordering  constraint  that  evolves  over 
time.  There  are  4  levels  of  hierarchy  in  the  HATS  domain  (K  =  3)  —  (i)  level-0,  which  has  the 
observations  (meetings),  (ii)  level- 1,  which  is  the  state  where  each  agent  is  acquiring  capabilities, 
(in)  level-2,  where  all  the  required  capabilities  have  been  acquired  by  the  TF  members,  and  ( iv ) 
level-3,  when  the  final  meeting  (attack)  occurs. 

4.3.4.  The  Bayesian  Update  Rules.  Let  us  consider  a  population  of  hats  {Hi,  H2, . . .},  and  let 
(Ci,  C2,  •  •  • ,  CN}  denote  the  complete  set  of  N  capabilities  that  these  hats  may  possess.  Let  us 
assume  for  the  time  being  that  the  analyst  has  some  prior  beliefs  about  the  initial  capabilities  that 
each  Hi  has.  The  hats  then  go  to  meetings  { Ml , . . . ,  Mj')  with  other  hats.  Since  only  meetings 
are  observed  and  not  the  trades,  we  can  only  assume  that  a  trade  occurs  with  a  certain  probability 
at  each  time  between  two  hats.  More  precisely,  pB  k,  =  Pr (Hk  trades  C:I  to  H%  \ Hk  has  C} ) ,  if  II, 

meets  with  ///,.  at  a  time  point.  For  now,  we  assume  this  to  be  constant,  that  is,  pB  A.,  =  ptr  for  all 
i,  j,  k.  Now  let  us  define  a  random  variable  Cj  t  such  that 

i  =  f  1,  if  Ht  has  Cj 
4*  {  0,  otherwise. 

We  then  wish  to  update  the  belief  of  this  event  at  time  t  given  by  Bp’  =  Pr{CjL  =  1 1  Mj ) ,  where 
Mj  denotes  all  the  meetings  of  hat  //,  till  time  t,  thus  giving  rise  to  the  posterior  after  absorbing 
the  observation  (meeting  with  Hk)  at  the  next  time  point  it  +  1)  M'f  1 : 

Bih  =  Pr(C)t+l  =  1| Ml+1)  =  Pr(C)  t  =  1| Mf)  x  Pr(Hi  does  not  trade  Cj  to  Hk\C)t  =  1) 
+  Pr(Cjt  =  0| Mf)  x  Pr(Hi  acquires  Cj  at  time  t  +  l|Mj+1) 

=  Bi'j(l-ptr)  +  [l-*Bi’j]B?’jptr.  (2) 

Now,  in  case  Hi  does  not  participate  in  a  trade  at  time  (4  +  1).  there  is  no  update  to  the  belief  about 
its  capabilities  at  that  time  point,  so  that  B(f ,  =  B)'3 ,  for  all  j.  Hence  we  have  a  nice  general  rule 
for  updating  the  belief  at  any  time  t  recursively  for  each  hat  and  each  capability  individually. 

However,  in  the  hats  scenario,  the  capabilities  of  a  hat  are  subject  to  decay  or  expiration  and  in 
order  to  incorporate  this  in  Equation  2,  we  define  Si’3  to  be  the  probability  of  decay  of  capability 
Cj  for  HL  at  time  point  t.  Then  the  revised  update  rule  for  B)'J  on  absorbing  the  observation  at 
time  (t  +  1)  can  be  written  as 

B&x  =  Bipl-P(tp  +  ll-Bp]BpptM+Pr(Cjt  =  l\Mi) 

x  Pr(Cj  does  not  expire  for  Hr  \ Cnj  t  =  1)  =  Blt’j( 2  —  ptr  —  S\'3)  +  [1  —  Blt’j]B^’j ptr. 
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In  case  Hi  does  not  participate  in  a  trade  at  time  (t  +  1),  the  revised  update  rule  now  will  be, 

Blt'h  =  Pr{Hi  has  Cj  at  time  t  and  it  does  not  expire | Mlt+l)  =  B\^{1  —  8lt,j). 

Let  us  now  consider  a  situation  with  M  beacons  and  P  terrorist  organizations.  The  next  task 
therefore  is  to  propagate  the  beliefs  about  hats  possessing  different  capabilities  to  determine  how 
likely  a  hat  is  to  plan  an  attack  on  a  particular  beacon  and  be  a  member  of  a  particular  terrorist 
organization.  The  probability  of  Hi  attacking  Beacon  r  with  a  vulnerability  set  L  can  be  computed 
as: 


P/j'i  =  Pr  ( II;  has  at  least  1  of  the  vulnerabilities  at  time  t  +  l\M'w) 

=  1  —  Pr{Hi  has  none  of  the  3  required  capabilities  |Mf*+1) 

=  1-n  (3) 

Note  that,  we  have  made  the  approximation  here  that  the  probability  of  a  TF  member  possessing 
none  of  the  vulnerabilities  of  the  beacon  is  negligible,  and  assumed  that  hats  possess  capabilities 
independently.  Figure  5  shows  a  simple  schematic  how  the  new  evidence  based  on  meetings  are 
gradually  propagated  up  the  plan  hierarchy  through  the  Bayesian  updating-filtering  mechanism 
that  we  just  described. 


Figure  5:  The  conditional  independence  relationships  in  the  HATS  domain.  “TO”  denotes  the 
terrorist  organization,  “B”  denotes  the  beacon  to  attack,  “q”  denotes  the  capabilities  and 
denotes  the  meetings. 


4.3.5.  Future  work.  In  our  proposed  research  we  will  refine  this  simple  model  to  achieve  a  more 
general  and  coherent  framework  for  detection  and  tracking.  In  particular,  we  will  introduce  joint 
update  rules  for  all  capabilities,  intentions  to  attack  a  particular  beacon,  as  well  as  terrorist/benign 
status  of  an  agent.  This  is  expected  to  enhance  the  accuracy  of  our  proposed  model  by  exploiting 
the  conditional  independence  relationships.  We  will  compute  the  joint  likelihood 

Pr(7rf,...,7r°|oi_i) 

using  the  AHMM  framework  and  perform  inference  relating  to  the  hypotheses  about  the  potential 
task  forces.  Note  that,  the  update  rules  have  closed-form  expressions  here  and  hence  tractable 
inference  will  be  possible.  Another  aspect  of  the  research  will  involve  incorporating  a  “hidden” 
variable  to  denote  the  intention  of  each  hat  to  acquire  the  required  attributes  of  a  beacon.  Three 
other  significant  research  directions  involve: 


20 


Phase  1  Final  Progress  Report  ARO  MURI  Grant  #  W91  INF-06- 1-0094:  Spatio-Temporal  Nonlinear  Filtering  With  Applications  to  Information  Assurance  and  Counter  Terrorism 


(i)  identify  deceptive  behavior  by  developing  a  rigorous  theoretical  framework  of  deception 
detection, 

in)  introduce  coordination  among  the  members  of  the  task  force  in  a  multi-agent  scenario 
using  the  HMMP  model,  and 

(in)  scalability  and  other  computational  issues  that  will  assess  how  well  our  model  treats  a 
large  number  of  hats  in  the  order  of  millions. 

4.4.  Pattern  Change  and  Trend  Detection  in  Distributed  Sensor  Networks 

One  of  the  goals  of  this  project  is  to  develop  new  procedures  for  pattern  change  and  trend 
detection  in  distributed  multisensor  systems,  and  to  provide  an  analytical  framework  to  predict 
their  performance  in  terms  of  the  tradeoff  between  detection  delay  and  frequency  of  false  alarms. 


event 


{Xltn}  {XM,n} 


Figure  6:  Change  detection  using  distributed  sensors  and  modes  of  operation 


To  address  this  goal,  we  performed  analysis  of  several  generalizations  of  the  change  detection 
problem  that  arise  in  the  applications  to  distributed  sensor  systems.  In  the  distributed  multisensor 
systems  that  are  the  focus  of  this  project,  the  information  about  the  change  is  available  through 
a  set  of  geographically  separated  sensors,  as  shown  in  Figure  6.  Specifically,  we  consider  the 
distributed  multisensor  system  with  N  sensors,  Si, . . . ,  Sn,  communicating  with  a  fusion  center. 
At  time  n,  an  observation  Xi  n  is  made  at  sensor  S The  changes  in  the  statistical  properties  of  the 
sequences  { Xin }  are  governed  by  the  event.  The  sensors  communicate  to  a  common  fusion  center. 
We  investigate  a  variety  of  models  for  the  change  process:  only  one  (or  a  subset)  of  the  sensors 
changes,  they  all  change  at  the  same  time,  or  they  change  at  different  times.  We  also  include 
various  scenarios  for  communication  with  the  fusion  center,  from  the  centralized  one  where  the 
sensors  send  sufficient  statistics,  to  the  decentralized  one  where  they  send  quantized  observations 
or  local  decisions.  We  study  the  role  of  feedback  from  the  fusion  center,  and  investigate  schemes 
for  conserving  energy  at  the  sensors  such  as  switching  the  sensors  between  on/off  modes  and 
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censoring  their  observations.  Our  strategy  for  design  and  analysis  accommodate  general  statistical 
models  for  the  observations,  and  allow  for  different  degrees  of  model  uncertainty. 

Based  on  the  information  available  at  S)  at  time  n,  a  message  Vr/n  is  sent  from  sensor  Si  to  the 
fusion  center.  There  are  various  possibilities  for  communication  from  the  sensors:  they  could  send 
the  observations  (or  sufficient  statistics),  they  could  send  quantized  observations,  and  they  could 
choose  to  censor  their  observations.  Censoring  refers  to  the  situation  where  the  sensors  refrain 
from  sending  any  information  to  the  fusion  center  for  certain  observations;  this  is  indicated  by 
switches  on  V^n  in  Figure  6.  Also,  to  conserve  energy  the  sensors  may  switch  between  on  and  off 
modes;  this  is  indicated  by  switches  on  X^n. 

This  concert  of  possibilities  leads  to  a  very  interesting  set  of  open  problems  that  will  be  dis¬ 
cussed  in  the  course  of  future  research.  In  order  to  address  the  wide  range  of  potential  applications 
of  our  theory,  we  will  accommodate  general  statistical  models  for  the  observations  and  allow  for 
different  degrees  of  model  uncertainty. 

In  the  rest  of  this  section,  we  will  be  interested  in  a  particular  distributed  and  decentralized 
multisensor  scenario  where  no  communication  between  sensors  and  no  feedback  between  the  fu¬ 
sion  center  and  sensors  are  allowed,  as  shown  in  Figure  7.  The  statistical  properties  of  the  sensors’ 
observations  change  at  the  same  unknown  point  in  time.  The  goal  is  to  detect  this  change  as  soon 
as  possible,  subject  to  false  alarm  constraints.  The  sensors  may  send  either  quantized  versions  of 
their  observations  or  local  decisions  to  a  fusion  center  where  a  final  decision  is  made  based  on  all 
the  sensor  messages. 


{*,(«)}  (AV(n)} 


Figure  7:  Change  detection  with  distributed  sensors  and  no  feedback 

Therefore,  there  is  a  distributed  iV-sensor  system  in  which  at  time  n  one  observes  an  TV- 
component  vector  stochastic  process  (X A(n), . . . ,  XN{n)).  The  i-th  component  X,(n),  n—  1,2,... 
corresponds  to  observations  obtained  from  the  sensor  S),  as  shown  in  Figure  7.  We  will  consider 
two  approaches  to  the  decentralized  fusion  problem.  In  the  first  case,  the  sensors  quantize  their 
observations  and  these  quantized  observations  are  sent  to  the  fusion  center;  in  the  second  sce¬ 
nario  they  make  local  decisions  that  are  sent  to  the  fusion  center.  At  an  unknown  point  in  time  A 
(A  =  1, 2  ... )  something  happens  and  all  of  the  components  change  their  distribution.  Conditioned 
on  the  change  point,  the  observation  sequences  (A^(n)},  {X2(n)},  . . . ,  {7Cv(n)}  are  assumed  to 
be  mutually  independent.  Moreover,  we  assume  that,  in  a  particular  sensor,  the  observations  are 
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independent  and  identically  distributed  (iid)  before  and  after  the  change  (with  different  distribu¬ 
tions).  If  the  change  occurs  at  A  —  k,  then  in  sensor  S,  the  data  X,,  ( 1 ) , . . . ,  A",  ( k  —  1)  follow 
the  distribution  F{\  with  a  density  /q  ^(x),  while  the  data  AQ(fc),  X^k  +  1), . . .  have  the  common 
distribution  F\  with  a  density  /['  ( x )  (both  with  respect  to  a  sigma-finite  measure  /i(x)). 

To  be  more  specific,  let  P/  (correspondingly  Efc)  be  the  probability  measure  (correspondingly 
expectation)  when  the  change  occurs  at  time  A  =  k.  Then,  Px  and  stand  for  the  prob¬ 
ability  measure  and  expectation  when  A  =  oo,  i.e.,  the  change  does  not  occur.  Write  X”  = 
(X*(l), . . . ,  Xi(n ))  and  Xn  =  (X",  ....  X^).  Under  P^,  the  density  of  X"  is 

N  n 

Po(X“)  =  nn^o'AVO))  for  all  n  >  1 

*=1  3= 1 


and,  under  P;,.,  the  density  of  Xn  is 

k—1  n 

n/oAXiWWlpUXiU)) 

J= 1  j=k 


N 


Pa(X”)  =  n 


i=  1 


for  k  F,  n  and  pfe(Xn)  =  p0(X")  for  k  >  n. 

In  the  minimax  setting,  a  reasonable  measure  of  the  detection  lag  is  the  supremum  average 
detection  delay  (SADD) 

SADD(r)  =  sup  Efc(r  —  k\r  ^  k ) 

l^k<oo 

while  the  false  alarm  rate  can  be  measured  by  the  average  run  length  (ARL)  to  false  alarm 


ARL(r)  =  Eoo  r. 


An  optimal  minimax  detection  procedure  is  a  procedure  for  which  SADD(r)  is  minimized  while 
ARL(r)  is  set  at  a  given  level  7,  7  >  0.  Specifically,  define  the  class  of  change-point  detection 
procedures 

A (7)  =  (r  :  ARL(r)  ^  7} 

for  which  the  ARL  exceeds  the  predefined  positive  number  7.  The  optimal  change-point  detection 
procedure  is  described  by  the  stopping  time 


v  =  arg  inf  SADD(r). 

t£A(7) 


Let 


Zi(n)  =  log 


fo](Xt(n)) 


(4) 


be  the  log-likelihood  ratio  (LLR)  between  the  “change”  and  “no-change”  hypotheses  for  the  n-th 
observation  from  the  i- th  sensor  and  let 


R  —  ExZ^l) 


■/log(  f§)/l(‘,(lW* 
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be  the  Kullback-Leibler  (K-L)  information  number  between  the  densities  /,  l\x)  and  fo  \x). 

The  asymptotic  performance  of  an  optimal  centralized  detection  procedure  that  has  access  to 
all  data  Xn  is  given  by 

inf  SADD(r)  =  — (1  +  o(l)),  7  — >•  oo,  (5) 

-re  A  (7)  Itot 

where  Itot  =  J2iLi  See,  e.g.,  [2,  23,  24].  This  performance  is  attained  for  the  centralized 
CUSUM  test  that  uses  all  available  data. 

4.4.1.  Centralized  CUSUM  Detection  Test.  The  centralized  CUSUM  test  is  defined  as 

rc  =  min  {n  ^  1  :  Wc(n )  ^  h}  , 

where  the  (centralized)  CUSUM  statistic  Wc{n)  is  given  by  the  recursion 

Zi(n)\,  n  =  1,2,...  (6) 

(1UC(0)  =  0)  and  the  threshold  h  is  chosen  so  that  ARL(rc(/i))  =  7.  It  is  known  [2,  23,  24] 
that  ARL(rc(/i))  A  eh  and,  hence,  h  =  log 7  guarantees  ARL(rc(/i))  A  7.  The  latter  choice 
is  usually  conservative  but  useful  for  preliminary  estimates  and  first-order  asymptotic  analysis. 
Substantial  improvements  can  be  obtained  using  corrected  Brownian  motion  approximations  [23] 
and  the  renewal  argument  [25]. 

In  the  following  two  subsections,  we  consider  two  types  of  decentralized  detection  procedures 
that  use  “compressed”  data  IJ \  (n) , ,  Un  (n)  which  are  transmitted  to  the  fusion  center  for  making 
the  final  decision.  The  compression  level  for  both  types  of  procedures  is  maximal  -  the  data 
Ui(n)  =  0  or  1,  i.e.,  binary.  Thus,  for  both  proposed  decentralized  detection  procedures  the 
required  bandwidth  for  communication  with  the  fusion  center  is  minimal.  The  advantage  of  the 
first  detection  test  with  binary  quantized  data  is  that  it  does  not  require  any  processing  power  at  the 
sensors.  In  Section  4.4.3,  even  simpler  “one-shot  voting”  local  decision  (LD)  based  detection  tests 
are  introduced. 

4.4.2.  Decentralized  CUSUM  Test  with  Binary  Quantization  at  the  Sensors.  Consider  the  sce¬ 
nario  where  based  on  the  observation  Xt(n)  available  at  the  sensor  Si  at  time  n  a  message  Ut(n) 
belonging  to  a  finite  alphabet  (e.g.,  binary)  is  formed  and  sent  to  the  fusion  center  (see  Figure  7). 
Write  Un  =  (IJ\  (n). . . . ,  UN(n))  for  the  vector  of  N  messages  at  time  n.  Based  on  the  sequence 
of  sensor  messages,  a  decision  about  the  change  is  made  at  the  fusion  center.  The  goal  is  to  find  a 
detection  test  at  the  fusion  center  that  has  certain  optimality  properties.  This  test  is  identified  with 
a  stopping  time  on  {U„  }n7i  at  which  it  is  declared  that  a  change  has  occurred. 

In  the  following  we  consider  the  simplest  case  where  Ui(n)  =  ipi{Xi(n))  are  the  outputs  of  bi¬ 
nary  quantizers.  The  asymptotically  optimal  policy  for  the  decentralized  change  detection  problem 
with  binary  quantization  that  minimizes  SADD(r)  =  supfc  E/. { r  —  k\r  A  k ),  while  maintaining 
the  ARL(r)  at  a  level  greater  than  7,  consists  of  a  set  of  stationary  monotone  likelihood  ratio  quan¬ 
tizers  (MLRQ)  at  the  sensors  followed  by  the  CUSUM  procedure  based  on  {U„  }rt^i  at  the  fusion 
center  [26,  31]. 


N 


wc 


,n  =  max 


0  ,WC 


n 


U  +  E 


2=1 
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More  specifically,  the  optimal  binary  quantizer  is  the  MLRQ  which  is  given  by 


Ui  =  A(x) 


1  if 


f(’), ' 


/rco 

0  otherwise, 


>  U, 


where  tt  is  a  positive  finite  threshold  that  maximizes  the  K-L  information  in  the  resulting  Bernoulli 
sequence  for  the  post-change  and  pre-change  hypotheses. 

To  be  precise,  for  1  —  0,1,  let  gj^  denote  the  probability  induced  on  U,  (n)  when  the  observation 
Xi(n)  is  distributed  as  fjl) .  Let  /30,j  =  g^iUiij)  =  1)  and  $  =  g[‘\Ui(j)  =  1)  denote  the 
corresponding  probabilities  under  the  normal  and  the  anomalous  conditions,  respectively.  The 
resulting  binary  (Bernoulli)  sequences  {Ui(j),i  =  1 , ,N},  j  ^  1  are  then  used  to  form  the 
binary  CUSUM  statistic  similar  to  (6)  as 

N 

Wb(n)  =  max{0,W\n-l)  +  J2Zi(n))}i  n  =  1,2,...  (7) 

i= 1 


where  Wb(  0)  =  0  and 


Zb(n)  =  log 


9o\Ui(n)) 


is  the  partial  LLR  between  the  “change”  and  “no-change”  hypotheses  for  the  binary  sequence, 
which  is  given  by 

Zb(n)  =  a.iUiin )  +  a0>i. 


Here 


A(1  —  Po,i 
A),i(  1  —  Pi)  1 


OQ,i 


log 


1  ~Pi 

1  —  Po,i 


Then  the  CUSUM  detection  procedure  at  the  fusion  center  is  given  by  the  stopping  time 


n(h)  =  min  {n  ^  1  :  Wb(n)  ^  h]  , 


(8) 


where  h  is  a  positive  threshold  which  is  selected  so  that  ARL(t&(/i))  ^  7.  In  what  follows  this 
detection  procedure  will  be  referred  to  as  the  binary  quantized  CUSUM  test  (BQ-CUSUM). 

The  BQ-CUSUM  procedure  with  h  =  logy  is  asymptotically  optimal  as  7  — >  00  in  the  class 
of  tests  with  binary  quantization  in  the  sense  of  minimizing  the  SADD  in  the  class  A(y).  More 
specifically,  the  tradeoff  curve  for  the  optimal  binary  test  is 

SADD(rfe)  ~  7  -»•  00,  (9) 

-Hot 

where  lj*ot  =  J2iLi  maxt,  I \{ti)  is  the  total  maximal  K-L  distance  (optimized  over  the  quantization 
thresholds  fQ;  I b(ti)  =  +  Oo ,*(£*)]  is  the  K-L  distance  for  the  binary  sequence  in  the 

7-th  sensor  for  the  quantization  threshold  tr. 
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The  asymptotic  relative  efficiency  (ARE)  of  a  detection  procedure  r7  with  respect  to  a  detection 
procedure  r/7,  both  of  which  meet  the  same  lower  bound  7  for  the  ARL,  will  be  defined  as 


ARE(t7;  t/7) 


SADD(t7) 

lim  — - — h-. 

7-00  SADD(?77) 


Using  (5)  and  (9),  we  obtain  that  the  ARE  of  the  globally  asymptotically  optimal  test  v  with 
respect  to  the  BQ-CUSUM  test  77,  is 


ARE(z/;  Tfe) 


lim 

7— >00 


infrGA(7)  SADD(r) 
SADD  (77,  (/i7)) 


Ib 

1tot 

Itot 


(10) 


Since  Itot  is  always  larger  than  l£ot,  the  value  of  ARE  <  1.  However,  our  study  presented 
below  shows  that  certain  decentralized  asymptotically  globally  optimal  tests  may  perform  worse 
in  practically  interesting  prelimit  situations  when  the  false  alarm  rate  is  moderately  low  but  not 
very  low. 

4.4.3.  Decentralized  Detection  Tests  Based  on  Local  Decisions.  We  now  consider  three  detection 
schemes  that  perform  local  detection  in  the  sensors  and  then  transmit  these  local  binary  decisions  to 
the  fusion  center  for  optimal  combining  and  final  decision-making.  The  abbreviation  LD-CUSUM 
will  be  used  for  procedures  that  perform  CUSUM  tests  in  sensors  and  use  local  decisions. 

A.  Asymptotically  globally  optimal  decentralized  LD-CUSUM  test.  Let 


Wi(n)  =  max  {0,  Wj{n  -  1)  +  Zj(ra)}  ,  W*( 0)  =  0 


be  the  CUSUM  statistic  in  the  i-th  sensor,  where,  as  before,  Z^n)  =  \og[f[z\xi(n)) / /^(X^n))] 
is  the  LLR  for  the  original  sequence. 

Let 


1  if  Wn(i)  ^  7Tj/i 

0  otherwise, 


where  77  =  R/Itot  and  h  is  a  positive  threshold. 
The  stopping  time  is  defined  as 


T\d(h)  =  min  j  n  :  minJWi(n) /ni]  ^  h>  .  (11) 

In  other  words,  binary  local  decisions  (1  or  0)  are  transmitted  to  the  fusion  center,  and  the  change 
is  declared  at  the  first  time  when  Ut(n)  =  1  for  all  sensors  /  =  1, ....  A. 

It  can  be  shown  that  under  certain  conditions 


EooTld(/i)  ^  eh 


and 


SADD  (Tld(h)) 


1  +  o(l), 


(12) 
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where 

CN  =  E  max  <  °^Yt  1  , 
l^i^N  (  I,  J 

Yx . . ,  V'v  are  independent  standard  Gaussian  random  variables;  ar 
operator  of  variance  under  fx  '}. 

Therefore,  if  h  =  log  y,  then 

inf  SADD(r)  ~  SADD (Tld(h))  ~  7  ->  00 

reA(  7)  Itot 

and  the  detection  test  Txd(h)  is  globally  asymptotically  optimal  (AO),  i.e.,  ARE(Tid;rc)  =  1. 
Correspondingly,  we  will  use  the  abbreviation  AO-LD-CUSUM  for  this  test  in  the  rest  of  the 
report. 

However,  since  the  second  term  in  the  asymptotic  approximation  (12)  is  on  the  order  of  the 
square  root  of  the  threshold,  it  is  expected  that  the  convergence  to  the  optimum  is  slow.  Note 
that  for  the  optimal  centralized  CUSUM  test  and  for  the  decentralized  CUSUM  test  with  binary 
quantization  residual  terms  are  constants.  We  therefore  expect  that  for  moderate  false  alarm  rates 
typical  for  practical  applications  the  procedure  with  quantization  may  perform  better.  Below  this 
conjecture  is  verified  for  the  Poisson  model. 

B.  “One-shot”  voting  decentralized  LD-CUSUM  tests.  Let  7 (7/)  =  niinjn  :  Wi(n)  A  h} 
denote  the  stopping  time  of  the  CUSUM  test  in  the  i-th  sensor.  Introduce  the  stopping  times 

TjninO)  =  min(ri,  ...,tn),  Tmax(/i)  =  max(ri, 

that  will  be  referred  to  as  minimal  LD-CUSUM  (Min-LD-CUSUM)  and  maximal  LD-CUSUM 
(Max-LD-CUSUM)  tests,  respectively. 

It  can  be  shown  that 

ARL(Tmax)  ^  eh  and  ARL(Tmin)  A  N~leh. 

and  that,  as  h  — >  00, 

SADD(Tmin) - ,  SADD(Tmax)  ~  — h—, 

max*  1,;  rmrij  I,; 

Therefore,  taking  the  thresholds  h  =  logy  in  the  first  case  and  h  =  log  (Ay)  is  the  second  case, 
we  obtain  the  tradeoff  curves  that  relate  the  SADD  and  the  ARL,  as  7  — >  00: 

SADD(Tmin)  ~  SADD (Tmax)  ~ 

max,;  1,;  mm,  I,; 

It  follows  that  in  the  symmetric  case  where  R  =  I  the  asymptotic  relative  efficiency  of  these 
detection  tests  compared  to  the  optimal  centralized  test  is 

ARE(Tmin;  rc)  =  ARE(Tmin;  rc)  =  A. 
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4.4.4.  Monte  Carlo  Experiments.  In  this  section,  we  present  the  results  of  MC  experiments  for  the 
Poisson  example  where  observations  in  the  i-th  sensor  Xt(n),  n  A  1  follow  the  common  Poisson 
distribution  V(p,i)  in  the  pre-change  mode  and  the  common  Poisson  distribution  V {()■,)  after  the 
change  occurs,  i.e.,  for  m  —  0, 1,  2, . . .  and  A  —  k. 


P  k(Xi(n)  =  m) 


(tXre-m 

ml 

(gpmc-(5>v 


for  k  >  n, 
for  k  ^  n, 


where  without  loss  of  generality  we  assume  that  9t  >  /j  ,  . 

Write  Qi  =  9-J /y.  It  is  easily  seen  that  the  LLR  statistic  in  the  i-th  senor  has  the  form 


Zn(i)  =  Xi(n)  log  (Qi)  -  Hi(Qi  ~  1), 


(14) 


and  the  K-L  information  numbers 


li  =  0i  log  Qi-  1),  i  =  1,  •  •  • ,  N. 


(15) 


It  follows  from  (5),  (15)  and  the  above  discussion  that  the  centralized  CUSUM  and  AO-LD- 
CUSUM  tests  with  the  thresholds  h  =  logy  are  first-order  globally  asymptotically  optimal  and 


inf  SADD(r)  ~  SADD(rc)  ~  SADD(TW)  ~ 

r£A(7) 


_ log  7 _ 

Ell  ft  log  Qi-p-iiQi  -  1)] 


(16) 


This  means  that  the  ARE  of  these  detection  tests  with  respect  to  the  globally  optimal  test  is  equal 
to  1. 

In  order  to  evaluate  the  ARE  of  an  optimal  test  v  (e.g.,  the  centralized  CUSUM  test  rc)  with 
respect  to  the  BQ-CUSUM  test  (8)  we  use  (10),  which  yields 


ARE(z/-  t  )  =  Eli  maxtt[A(f,;X(f)  +  a0ti(U)] 
Elit^logQ*1  -  Hi{Qi  ~  1)] 


(17) 


where  the  probabilities  /3q ,i(t)  and  6t(t)  are  given  by: 


OO 


@0 J 
k=\ti\ 


Hi  e 

kl 


Pi(ti)  = 


OO 

£ 

fc=r*»i 


ek  e-e% 

kl 


The  optimal  values  of  t(-  =  arg  max  I-'(i,:)  that  maximize  the  K-L  numbers  are  easily  found 
based  on  these  formulas.  Consider  a  symmetric  case  where  jii  =  10  and  9t  =  12  for  all  i  = 
Then  I,  =  I  =  0.1879,  the  optimum  threshold  is  =  12,  and  the  corresponding 
maximum  K-L  distance  for  the  binary  sequence  I^f?)  =  Ife  =  0.119.  Therefore,  the  loss  in 
efficiency  of  the  BQ-test  compared  to  the  globally  asymptotically  optimal  detection  procedure  is 
ARE(z/;  n)  =  0.119/0.1879  =  0.63,  i.e.,  for  the  large  ARL  we  expect  about  37%  increase  in  the 
average  detection  delay  compared  to  the  centralized  CUSUM  (C-CUSUM).  The  following  MC 
simulations  show  that  for  the  practically  interesting  values  of  the  ARL  (up  to  13, 360)  the  gain  of 
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Figure  8:  Operating  characteristics  of  detection  procedures 


the  optimal  C-CUSUM  test  is  even  smaller,  while  the  AO-LD-CUSUM  test  performs  worse  than 
the  BQ-CUSUM  test  due  to  the  reasons  discussed  in  Section  4.4.3. 

MC  simulations  have  been  performed  for  the  above  symmetric  situation  (i.e.,  ji,  —  //  =  10  and 
6i  =  9  =  12)  with  N  =  5  sensors.  We  used  105  MC  replications  in  the  experiment.  The  operating 
characteristics  of  the  five  detection  tests  (SADD  vs  log(ARL))  are  shown  in  Figure  8.  It  is  seen 
that  the  BQ-CUSUM  test  substantially  outperforms  the  AO-LD-CUSUM  test  for  all  false  alarm 
rate  range  used  in  simulations.  This  result  confirms  our  conjecture.  It  is  also  seen  that  both  Min- 
LD-CUSUM  and  Max-LD-CUSUM  perform  worse  than  both  BQ-CUSUM  and  AO-LD-CUSUM 
tests. 

4.4.5.  Conclusions  and  Future  Work.  The  presented  results  allow  us  to  compare  performance 
of  four  proposed  decentralized  change  detection  procedures,  as  well  as  to  determine  loss  in  effi¬ 
ciency  compared  to  the  globally  optimal  centralized  scheme.  The  first  detection  test,  called  the 
BQ-CUSUM  test,  uses  binary  quantizers  at  the  sensors  followed  by  the  CUSUM  detection  pro¬ 
cedure  at  the  fusion  sensor.  The  second  detection  test,  called  the  AO-LD-CUSUM  test,  performs 
local  detection  at  the  sensors  using  CUSUM  tests,  and  at  each  sampling  point  transmits  these  local 
decisions  to  the  fusion  center  for  combining  and  making  the  final  decision.  Both  decentralized 
detection  procedures  transmit  only  binary  sequences  of  l’s  and  0’s  to  the  fusion  center.  There¬ 
fore,  both  detection  tests  use  maximal  possible  level  of  data  compression  and  require  minimum 
bandwidth  for  communication.  The  third  and  fourth  decentralized  detection  procedures,  called  the 
minimal  and  maximal  LD-CUSUM  tests  respectively,  are  based  on  independent  voting  of  sensors. 
In  the  former  one  the  decision  is  made  at  the  first  time  when  the  first  CUSUM  test  detects  the 
change;  while  in  the  latter  one  when  all  the  sensors  detect  the  change  (but  independently,  not  like 
in  the  AO-LD-CUSUM). 


29 


Phase  1  Final  Progress  Report  ARO  MURI  Grant  #  W91  INF-06- 1-0094:  Spatio-Temporal  Nonlinear  Filtering  With  Applications  to  Information  Assurance  and  Counter  Terrorism 


Due  to  losses  of  information,  the  BQ-CUSUM  test  is  inferior  to  the  globally  optimal  cen¬ 
tralized  CUSUM  test.  On  the  other  hand,  the  AO-LD-CUSUM  test  is  first-order  asymptotically 
globally  optimal  for  low  false  alarm  rate.  However,  convergence  to  the  optimum  is  expected  to  be 
slow,  since  the  second  term  in  the  decomposition  for  the  average  detection  delay  goes  to  infinity 
as  the  square  root  of  the  threshold.  We  therefore  conjectured  that  despite  the  fact  that  the  AO- 
LD-CUSUM  test  is  first-order  asymptotically  optimal  it  may  perform  worse  than  the  non-optimal 
BQ-CUSUM  test  in  realistic  environment.  The  results  of  MC  simulations  for  the  Poisson  model 
confirm  this  latter  hypothesis.  For  the  model  considered  the  BQ-CUSUM  outperforms  the  LD- 
CUSUM  for  all  range  of  tested  ARLs,  from  33  to  13,360.  The  increase  in  the  SADD  is  30%  for 
high  false  alarm  rate  and  it  slowly  reduces  to  18%  for  low  false  alarm  rate.  While  potentially 
the  ARE  of  the  AO-LD-CUSUM  test  compared  to  the  BQ-CUSUM  test  is  37%,  this  performance 
never  kicks  in  for  realistic  moderately  low  false  alarm  rate. 

The  “voting”  Min-LD-CUSUM  and  Max-LD-CUSUM  tests  are  neither  asymptotically  optimal 
nor  very  efficient.  Both  tests  are  inferior  to  AO-LD-CUSUM  and  BQ-CUSUM  tests.  The  Min- 
LD-CUSUM  test  is  inferior  to  the  Max-LD-CUSUM  test  in  the  symmetric  case,  and  it  is  expected 
to  perform  even  better  in  asymmetric  scenarios. 

The  additional  advantage  of  the  BQ-CUSUM  test  compared  to  all  other  decentralized  LD- 
CUSUM  tests  is  that  it  does  not  require  any  processing  power  at  the  sensors. 

While  the  considered  Poisson  model  is  motivated  by  network  security  applications  such  as 
rapid  detection  of  computer  intrusions,  in  reality  it  never  holds  and  therefore  efficient  nonpara- 
metric  detection  procedures  are  needed.  Suitable  procedures  will  be  developed  during  the  Year  2 
effort.  Their  comprehensive  study  (theoretical,  MC  simulations,  and  implementation  for  real  data 
sets)  for  multi-sensor  distributed  systems  is  an  important  task  of  the  future  work.  See,  however, 
Section  4.7  for  some  preliminary  results. 

4.5.  Energy-Efficient  Tracking  in  Sensor  Networks 

4.5.1.  Problem  Description.  The  essential  features  of  the  tracking  problem  described  in  Ligure  9 
are  contained  in  a  one-dimensional  simplification  where  the  sensors  are  placed  on  a  line  and  the 
object  undergoes  a  random  walk  on  the  line.  We  hence  consider  this  simplification  in  the  sequel  to 
facilitate  presentation,  with  the  understanding  that  the  techniques  that  we  develop  can  be  general¬ 
ized  to  the  two-dimensional  tracking  problem. 

Consider  a  one-dimensional  sensor  network  with  sensors  placed  unit  distance  apart  from  —  m 
to  +m.  An  object  that  has  to  be  tracked  by  this  sensor  network  is  assumed  to  undergo  a  random 
walk  along  the  line.  Let  %  denote  the  location  of  the  object  at  time  k.  Then 


bk+i  =  bk  +  wk  (18) 

where  { wk }  are  i.i.d.  integer- valued  random  variables  with  known  distribution.  We  assume  that 
Wk  G  [— n,n ]  with  n  typically  being  much  smaller  than  m.  Lor  example,  {«'/,•}  could  be  i.i.d. 
Bernoulli  random  variables  that  take  the  value  +1  or  —1  with  equal  probability.  The  tracking 
problem  stops  when  the  object  leaves  the  network,  i.e.,  when  bk  (f  {— m, . . . ,  0, . . . ,  m}. 

A  central  unit,  which  controls  this  sensor  network,  is  assumed  to  maintain  the  information 
required  to  compute  the  sleep  times  of  the  sensors  in  the  system  and  to  assign  the  sleep  times  for 
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Figure  9:  Object  tracking  in  a  field  of  sensors 


the  sensors  that  come  awake.  A  sensor  is  either  awake  or  asleep  at  each  time  instant.  Each  sensor 
that  wakes  up  remains  awake  for  one  time  unit  during  which  the  following  actions  are  taken:  (i) 
if  the  object  is  within  its  range,  the  sensor  detects  the  object  and  sends  this  information  to  the 
central  unit,  and  (ii)  the  sensor  receives  a  new  sleep  time  (which  may  equal  zero)  from  the  central 
controller.  The  input  from  the  central  unit  is  used  to  set  a  sleep  timer  at  the  sensor,  which  gets 
decremented  by  one  every  time  unit. 

Let  rk,e  denote  the  residual  sleep  time  at  time  k  for  the  sensor  located  at  position  i,  i.e.,  rkk  is 
the  value  of  the  sleep  timer  at  sensor  i  at  time  k.  Also  let  uk/  denote  the  control  input  (sleep  time) 
given  to  sensor  £  from  the  central  unit  at  time  k.  We  can  write  the  update  of  rk)k  as 

rk+ 1/  =  (r k,£  ~~  l)l{rM>0}  +  uk,£^-{rk>e= 0}  (19) 

where  1  is  the  indicator  function.  We  use  the  vector  notation  rk  =  (rk-m,  ■  ■  . ,  rkrn)  and  uk  = 

—mi  •  •  •  i  W k,m )  • 

Based  on  (18)  and  (19),  we  see  that  we  have  discrete-time  dynamical  model  that  describes  our 
tracking  problem,  with  exogenous  input  wk  and  control  input  uk.  The  state  of  the  system  at  time 
k  is  described  by  xk  =  (bk.  rk)  and  it  has  the  following  evolution  in  time: 


%k+ 1 


f(xkjuk,wk )  if  xky£T 

T  if  xk  =  T  or  if  bk  {—  m, . . . ,  m } 


(20) 


where  T  denotes  a  terminal  state  that  the  system  reaches  when  the  objects  exits  the  sensor  net¬ 
work,  and  /  is  described  by  (18)  and  (19).  Once  in  the  terminal  state,  the  system  remains  there 
indefinitely.  With  some  possible  abuse  of  notation,  we  denote  the  components  of  the  terminal  state 
corresponding  to  both  bk  and  rk  by  T. 
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Unfortunately,  not  all  of  xk  is  known  to  the  central  unit  at  time  k  since  bk  is  known  only  if 
the  sensor  at  location  bk  is  awake  at  time  k.  Thus  we  have  dynamical  system  with  incomplete  (or 
partially  observed)  state  information.  If  we  denote  the  observation  available  to  the  central  unit  at 
time  k  by  zk,  then  zk  =  (sk,  rk),  with 

{bk  if  bk^T  and  rkM:  =  0 
£  if  bk^T  and  rk)bk  >  0 
T  if  bk  =  T 

where  £  denotes  an  unknown  or  “erasure”  value. 

The  total  information  available  to  the  control  unit  at  time  k  is  given  by 

h  =  {zQ, . . .  ,zk,u0, . . . ,  uk- 1).  (21) 

with  Iq  =  ;„o  denoting  the  initial  (known)  state  of  the  system.  The  control  input  for  sensor  t  at  time 
k  is  allowed  to  be  a  function  of  Ik,  i.e., 


Uk,i  — 


We  assume  that  an  energy  cost  of  unity  is  contributed  by  each  sensor  that  is  awake,  and  a 
tracking  cost  of  c  is  incurred  for  each  time  unit  that  the  object  is  not  tracked.  The  total  cost  at  time 
k  is  then  given  by 

T  m  1 


g(xk) 


Xk^T} 


clUMfc>o}  +  E 


1 


{rk,bk=0} 


(22) 


t=—m 


Thus  c  is  the  parameter  used  to  tradeoff  energy  consumption  and  tracking  errors,  and  the  total  cost 
values  for  different  values  of  c  produce  the  tradeoff  curve  for  a  given  sleeping  policy. 


The  total  cost  (over  a  possibly  infinite  horizon  trajectory)  for  the  system  is  given  by 


Mh,  go,  gi, . . .)  —  E 


E 


,k= i 


Since  g  is  bounded  by  (2m  +  1  +  c),  the  cost  function  J0  is  guaranteed  to  be  bounded  as  long 
as  the  expected  time  for  the  object  to  exit  the  system  is  finite.  The  latter  condition  holds  for  any 
nontrivial  random  walk.  Hence  the  following  optimization  problem  is  well  defined. 


Jo(/0)  =  min  J0{I0,iM),gu  •  •  •)  (23) 

Momir- 

The  solution  to  this  optimization  problem  for  each  value  of  c  yields  an  optimal  sleeping  policy.  The 
optimization  problem  falls  under  the  framework  of  partially  observable  Markov  decision  process 
(POMDP),  and  the  optimal  solution  may  be  obtained  via  dynamic  programming  (DP). 
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4.5.2.  Optimal  Solution  via  Dynamic  Programming.  We  begin  with  identifying  sufficient  statis¬ 
tics  for  the  tracking  problem. 

Sufficient  statistic  for  DP.  The  information  for  decision-making  at  time  k  given  in  (21)  is  un¬ 
bounded  in  memory.  It  is  easy  to  show  via  standard  arguments  (see,  e.g.  [3])  that  a  sufficient 
statistic  for  optimization,  that  is  bounded  in  memory,  is  given  by  the  probability  distribution  of  the 
state  xk,  given  Ik.  Since  rk  is  part  of  xk,  the  sufficient  statistic  can  be  written  as  vk  =  (rk.  pk), 
where  pk  is  a  row  vector  that  denotes  the  probability  distribution  of  the  location  of  the  object,  bk, 
given  Ik.  The  components  of  pk  are  given  by: 

Pk,e  =  P({bk  =  £}\Ik),  £=-m,  (24) 

and  pk)rn+i  =  P({&fc  =  T}\  Ik). 

The  sufficient  statistic  (or  belief  state  as  it  is  referred  to  in  the  POMDP  literature  [1])  can  be 
updated  recursively  based  on  the  new  observation.  It  is  easiest  to  see  this  in  two  steps.  First  we 
update  pk  without  using  the  new  observation  zk+i,  he.,  using  only  Ik  to  form  vector  qk+l  with 
components 

qk+ m  =  P({6/c+i  =  Z}\h)  (25) 

and  qk+ltm+i  =  P({&fc+i  =  T}| If).  The  vector  qk+1  is  obtained  from  pk  via  a  Markov  evolution 
with  transition  matrix  P  defined  by  statistics  of  the  jump  variables  {w*;}: 

qk+ 1  =  Pk p  (26) 

The  last  row  of  P  corresponds  to  the  absorbing  terminal  state. 

We  now  “clean  up”  qk+i  using  the  new  observation  zk+ 1  as  follows.  If  the  object  is  observed 
at  sensor  £,  we  replace  qk+l  with  a  unit  point  mass  at  i.  If  the  object  is  not  observed  by  any  of 
the  sensors  that  are  awake,  we  zero  out  the  those  components  of  qk+1  and  normalize  the  remaining 
ones.  Thus 

Pk+l,e  =  l{sfe+i=£}  +  l{sfc+i=£}  l{rfc+l  f^ 0}  y-  -h  ““ ““  ~  •  (27) 

Hrk+1,i^0}qk+l,i 

Tractability  of  optimal  solution.  We  can  easily  write  down  the  finite-horizon  DP  equations  in 
terms  of  the  sufficient  statistic  vk  =  (rk.  pkj.  Furthermore,  it  is  easily  established  that  the  finite- 
horizon  cost-to-go  functions  converge  as  the  horizon  goes  to  infinity  and  that  the  corresponding 
limits  are  independent  of  k  due  to  the  stationary  nature  of  the  problem.  Thus  the  optimal  cost  in 
(23)  is  given  by  the  infinite-horizon  cost-to-go  function,  and  the  corresponding  optimal  control 
functions  pk  are  the  same  for  all  k.  The  optimal  cost  and  the  optimal  sleeping  policy  can  hence  be 
found  by  solving  a  Bellman  equation  [3],  via  known  techniques  such  as  successive  approximation. 
However,  the  optimal  solution  is  intractable  even  for  small  sensor  networks.  This  is  because  the 
state  space  grows  exponentially  with  the  number  of  sensors.  For  example,  even  with  seven  sensors 
with  maximum  sleep  time  of  only  10  and  probability  mass  function  quantized  to  multiples  of  0.1, 
there  are  about  109  possible  states  vk. 
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4.5.3.  Practical  approximations.  We  now  address  the  problem  of  finding  practical  tractable  solu¬ 
tions,  yet  efficient  in  terms  of  statistical  performance. 

Qmdp  solution.  Because  the  optimal  solution  is  intractable,  we  wish  to  formulate  an  alternative 
problem  that  is  tractable  yet  retains  most  of  the  essential  features  of  the  optimal  solution.  A  popular 
approach  to  finding  good  suboptimal  solutions  for  POMDP’s  is  to  assume  that  at  times  after  the 
current  time,  we  will  have  perfect  state  information.  The  solution  so  obtained  is  known  in  the 
literature  as  the  QMDP  solution  [1], 

We  assume  that  beyond  the  current  time,  each  sensor  somehow  knows  the  exact  position  of  the 
object  each  time  it  wakes  up.  Thus,  whenever  a  sensor  wakes  up,  the  set  of  possible  distributions  it 
sees  is  the  set  of  point  mass  distributions.  Under  this  assumption  it  is  clear  that  from  the  perspective 
of  a  sensor  i.  the  actions  of  the  other  sensors  do  not  affect  the  state  evolution.  We  also  know  that  a 
sensor  £  can  only  affect  the  cost  that  accrues  either  when  sensor  i  comes  awake  or  when  a  tracking 
error  occurs  at  sensor  L  Thus,  the  optimization  problem  under  this  assumption  fully  separates  into 
2m  +  1  problems  —  one  for  each  sensor. 

Let  us  solve  the  optimization  problem  at  sensor  £  using  an  infinite-horizon  dynamic  program. 
Since  the  residual  sleep  times  of  the  other  sensors  are  irrelevant  to  optimal  decision  making  in 
the  Qmdp  setting,  the  sufficient  statistic  for  decision  making  at  time  k  is  simply  pk.  The  Bellman 
equation  for  this  problem  is  easily  shown  to  be 

U 

J"\p)  =  min  (  V  c  [PP],  +  V  [pP»+i]  .  +  V  [pP«+‘]t  ) 

M  i= 1  k 

where  eb  denotes  a  row  vector  with  a  one  in  position  b  and  zeros  everywhere  else,  and  where  J 1 ' 1 
is  the  infinite-horizon  cost-to-go  function  for  sensor  t.  The  QMDP  policy  for  sensor  t,  p§ ,  is  given 
from  the  minimization  on  the  RHS  of  (28). 

If  we  can  solve  (28)  for  p  =  eb  for  b  €  {— m, . . . ,  m,  T},  we  have  sufficient  information 
to  define  the  solution  for  any  other  distribution  p.  Thus  we  have  2m  +  2  equations  in  2m  +  2 
unknowns.  However,  this  set  of  equations  does  not  have  a  unique  solution  since  we  can  add  an 
arbitrary  constant  to  a  solution  J 1 '  and  still  satisfy  the  equations.  We  therefore  add  the  additional 
constraint  that  J^(eT)  =  0  (which  is  clearly  the  desired  solution).  This  reduces  the  problem  to 
one  of  2m  +  1  equations  in  2m  +  1  unknowns  with  a  unique  solution.  An  effective  method  for 
finding  the  solution  is  to  use  policy  iteration  [1], 

A  lower  bound  on  optimal  performance.  Since  the  QMDP  solution  assumes  more  information 
than  is  actually  available,  the  cost  obtained  in  its  derivation  is  a  lower  bound  on  the  cost  of  any 
scheme.  In  particular,  if  we  apply  the  QMDP  policy  to  the  actual  system  (without  perfect  state 
information),  we  will  achieve  a  higher  cost.  Intuitively,  the  lower  bound  should  be  tightest  when 
the  number  of  tracking  errors  is  small  so  that  the  assumption  that  the  position  of  the  object  is 
known  is  most  realistic. 

Point  mass  approximations.  The  QMDP  policy,  /jq  =  {pq  :  W}  is  considerably  easier  to  com¬ 
pute  than  the  optimal  policy  and  can  be  computed  on-line  after  some  initial  off-line  computation 
has  been  completed.  However,  such  on-line  computation  requires  sufficient  processing  power  and 
could  introduce  delays.  It  would  be  convenient  if  pQ  could  be  pre-computed  and  stored  either  at 
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the  central  controller  or  at  sensor  i  itself.  The  latter  option  is  particularly  attractive  since  it  allows 
for  decentralized  implementation.  But  the  set  of  possible  distributions  p  is  potentially  quite  large 
—  even  if  quantization  is  performed  —  and  could  make  the  storage  requirements  prohibitive. 

To  make  the  storage  requirements  feasible,  we  consider  approximations  of  the  QMDP  algorithm 
where  p  is  replaced  by  a  unit  point  mass  distribution.  There  are  two  options  for  the  placement  of 
the  unit  point  mass:  (i)  the  centroid  of  p,  and  (ii)  the  nearest  point  to  the  sensor  on  the  support  of 
p.  The  latter  option  allows  for  the  implementation  of  the  QMDP  policy  without  detailed  information 
about  the  statistics  of  the  random  walk  -  only  the  support  of  the  jump  variables  Wk  is  required! 

4.5.4.  Numerical  Results.  Simulations  of  the  various  polices  were  performed  for  1-D  sensor  net¬ 
works.  In  these  simulations,  the  object  was  initially  placed  at  the  center  of  the  network  and  the 
location  of  the  object  was  made  known  to  each  sensor.  By  averaging  over  many  simulation  runs,  it 
was  possible  to  compute  the  average  number  of  tracking  errors  and  the  average  number  of  sensors 
awake  per  unit  time.  These  values  could  then  be  plotted  for  different  values  of  c  to  generate  a 
tradeoff  curve  for  these  two  quantities. 

Figures  10  and  11  show  results  for  two  different  networks.  The  results  of  Figure  10  are  for 
a  network  with  41  sensors  (m  =  20)  where  the  object  moved  according  to  a  symmetric  random 
walk.  In  other  words,  the  {  «;/.}  were  i.i.d.  random  variables  taking  on  value  +1  or  —1  with  equal 
probability.  The  results  of  Figure  11  are  for  a  network  with  61  sensors  (m  =  30)  where  the  { Wk } 
were  i.i.d.  random  variables  uniformly  distributed  over  {—3,  —2, . . . ,  2,  3}. 


m=20,  Symmetric  Random  Walk 


Sensors  Awake  Der  Unit  Time 


Figure  10:  Comparison  of  lower  bound  and  QMDP  solutions  for  m  =  20 

Four  curves  are  plotted  in  each  figure.  The  first  curve  is  the  tradeoff  curve  that  results  from 
the  lower  bound  described  in  the  previous  section.  Although  this  curve  is  unachievable,  it  is  useful 
as  a  baseline  since  if  a  sleeping  policy  approaches  the  performance  of  this  reference  curve,  that 
sleeping  policy  must  also  be  approaching  optimal  performance.  The  remaining  three  curves  are 
simulation  results  for  the  QMDP  solution  and  for  the  QMDP  solution  using  the  centroid  and  nearest 
point  approximations  described  in  the  previous  section. 
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m=30,  ±3  Max  Uniform 


Figure  11:  Comparison  of  lower  bound  and  QMDP  solutions  for  m  =  30 


From  these  simulation  results,  we  see  that  the  QMDP  solution  is  very  close  to  the  curve  for  our 
lower  bound  and  is  thus  nearly  optimal.  This  is  especially  true  in  the  regime  of  interest  where 
the  tracking  error  is  small.  The  use  of  point  mass  approximations  does  result  in  some  loss  of 
performance,  but  again  this  loss  is  small  for  small  tracking  error. 

Note  that  we  could  also  consider  a  more  primitive  policy  (which  does  not  use  location  infor¬ 
mation)  where  each  sensor  would  be  awake  with  some  probability  7r  at  each  time  instant.  As  tt 
were  varied,  we  would  achieve  a  tradeoff  curve  that  is  a  straight  line  between  the  points  (0, 1)  and 
(2m  +  1,  0)  in  the  coordinate  system  used  in  the  above  plots.  When  compared  with  this  tradeoff 
curve,  the  schemes  we  have  proposed  result  in  significant  improvement. 

We  have  obtained  similar  results  for  a  variety  of  other  cases  for  the  object  trajectory,  includ¬ 
ing  one-dimensional  walks  with  more  complicated  statistics  for  u>fc,  and  two-dimensional  random 
walks,  which  we  could  not  present  here  due  to  space  limitations.  We  have  also  designed  a  simpler 
suboptimal  solution  called  the  FCR  solution,  which  suffers  from  some  performance  loss  relative 
to  the  Qmdp  solution.  The  details  are  given  in  [11].  Extensions  to  more  realistic  object  movement 
and  sensing  models  are  described  in  [12]. 

4.6.  Information  Integration  and  Fusion  in  Distributed  Heterogeneous  Multisource  Multi¬ 
sensor  Systems 

4.6.1.  Multi-Vehicle  Motion  and  Sensing.  In  [7],  we  study  cooperative  control  algorithms  using 
pairwise  interactions,  for  the  purpose  of  controlling  flocks  of  unmanned  vehicles.  An  important 
issue  is  the  role  the  potential  plays  in  the  stability  and  possible  collapse  of  the  group  as  agent 
number  increases.  We  model  a  set  of  interacting  Dubins  vehicles  with  fixed  turning  angle  and 
speed.  We  perform  simulations  for  a  large  number  of  agents  and  we  show  experimental  realizations 
of  the  model  on  a  testbed  with  a  small  number  of  vehicles.  In  both  cases,  critical  thresholds  exist 
between  coherent,  stable,  and  scalable  flocking  and  dispersed  or  collapsing  motion  of  the  group. 
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The  paper  [19]  describes  the  second  generation  of  an  economical  cooperative  control  testbed 
described  in  [15].  The  original  car-based  vehicle  is  improved  with  on-board  range  sensing,  lim¬ 
ited  on  board  computing,  and  wireless  communication,  while  maintaining  economic  feasibility  and 
scale.  A  second,  tank-based  platform,  uses  a  flexible  caterpillar-belt  drive  and  the  same  modular 
sensing  and  communication  components.  We  demonstrate  practical  use  of  the  testbed  for  algo¬ 
rithm  validation  by  implementing  a  recently  proposed  cooperative  steering  law  involving  obstacle 
avoidance. 

Autonomous  robotic  systems  (observers)  equipped  with  range  sensors  must  be  able  to  dis¬ 
cover  their  surroundings,  in  an  initially  unknown  environment,  for  navigational  purposes.  In  [18], 
we  present  an  implementation  of  a  recent  environment  mapping  algorithm  [17]  based  on  Essen¬ 
tially  Non-oscillatory  (ENO)  interpolation  [14].  The  tank-based  platform  is  used  to  validate  our 
algorithm  due  to  the  ability  of  the  tanks  to  turn  in  place.  The  tanks  are  equipped  with  a  flexi¬ 
ble  caterpillar  drive,  range  sensor,  limited  onboard  computing,  and  wireless  communication.  This 
project  was  jointly  sponsored  by  Los  Alamos  National  Lab  and  the  Research  in  Industrial  Projects 
for  Students  at  the  Institute  for  Pure  and  Applied  Mathematics. 

4.6.2.  Change-Point  Detection  Methods  for  Obstacle  Avoidance.  We  implemented  a  basic  change- 
point  detection  method  on  the  platform  described  above,  using  the  car-based  chassis  rather  than 
the  tank.  The  particular  task  was  obstacle  avoidance  in  real  time  using  a  noisy  IR  range  sensor 
mounted  on  the  front  of  the  vehicle.  As  the  vehicle  approaches  the  obstacle,  sensor  readings  ad¬ 
just  from  background  noise  to  a  level  indicating  the  presence  of  the  object.  Figure  12  shows  an 
example  of  raw  sensor  readings.  To  filter  the  signal,  we  use  a  particular  version  [27]  of  a  standard 
cumulative  sum  algorithm  [2] .  Let  Xn  denote  the  raw  sensor  signal  at  time  level  n  and  //  denote 
the  mean  of  the  background  noise  when  no  obstacle  is  present.  Define  Zn  =  Xn  —  fi  ~  c  where  c 
is  a  fraction  of  the  expected  change  in  sensor  reading  due  to  the  obstacle.  Next  define  recursively 
Wn  =  max(0,  Zn  +  Wn- 1),  n  =  1,  2, . . .  (W0  =  0).  The  calculated  value  Wn  should  remain 
around  zero  until  the  change  of  state  occurs,  at  which  point  it  ramps  up.  An  example  is  shown 
in  Figure  12.  Once  Wn  passes  a  designated  threshold  (large  enough  to  avoid  false  alarms  with  a 
high  probability)  the  object  is  detected.  Using  the  car  chassis  at  1/5  of  the  full  throttle,  we  test 
the  cumulative  sum  algorithm  for  different  values  of  c  ranging  from  150  to  400.  The  results  are 
well-reproduced  in  multiple  trials.  These  values  lie  closely  on  a  linear  fit,  therefore  we  use  the 
c  =  200  state  in  practice  for  the  most  advanced  warning. 

The  change  point  detection  algorithm  allowed  a  team  of  vehicles  to  avoid  an  obstacle  while 
reaching  a  target  on  the  other  side  of  the  obstacle.  The  result  is  shown  in  Figure  13. 

4.6.3.  Spatio-Temporal  Image  Segmentation  and  Video  Tracking.  We  consider  the  complex  task 
of  video  tracking  under  occlusions  and  in  complex  backgrounds.  We  assume  that  the  complete 
object  boundary  is  known  through  prior-shape  template  information  and  that  the  object  undergoes 
only  affine  motion  across  frames.  Our  approach  is  to  track  the  object  by  segmenting  it  in  each 
frame,  and  also  simultaneously  registering  it  with  the  given  template.  The  method  is  based  a  level 
set  idea  [6,  20]  but  also  uses  a  logic  based  (OR/ AND)  segmentation  framework  to  segment  the 
object  under  occlusions  and  complex  backgrounds.  The  novelty  of  this  method  is  our  automatic 
choice  of  the  OR/ AND  logic  model  based  on  prior  shape  information.  The  developed  tracking 
algorithm  under  partial  occlusions  utilizes  Logic  Models  with  the  addition  of  prior  shape  informa¬ 
tion.  We  represent  object  motion  as  a  registration  between  frames.  We  can  track  successfully  as 
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Distance  to  the  obstacle  (cm) 


Figure  12:  Cumulative  sum  algorithm  applied  to  sensor  data  from  a  single  car  approaching  an 
obstacle,  (top  left)  raw  data  and  cumulative  sum,  (top  right)  cumulative  sums  for  different  choices 
of  c,  (bottom)  sample  car  path  avoiding  obstacle  with  cumulative  sum  sensor  output. 


38 


Phase  1  Final  Progress  Report  ARO  MURI  Grant  #  W91  INF-06- 1-0094:  Spatio-Temporal  Nonlinear  Filtering  With  Applications  to  Information  Assurance  and  Counter  Terrorism 


1 30  r 


u  65  - 
X 


4 

^  T 


/ 

1  r 

A  m  4 

V  - 


70 


140 


210 


Y  (cm) 


Figure  13:  Target  seeking  with  barrier  avoidance.  Top  four  panels  show  snapshots,  at  different 
times,  of  a  single  demonstration  of  the  maneuver.  The  time  progresses  from  top  left  to  bottom 
right.  The  bottom  figures  shows  trajectories  of  the  cars  compared  to  both  the  actual  barrier  (dark) 
and  the  larger  virtual  barrier  (light)  as  computed  from  the  range  sensors  of  the  observers. 
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long  as  the  object  of  interest  maintains  nearly  constant  shape  and  intensity  throughout  the  sequence, 
and  does  not  become  totally  occluded.  In  addition  the  algorithm  provides  object  contouring.  See 
[4]  for  more  information. 

The  results  of  tracking  are  shown  in  Figure  14. 
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Figure  14:  Occlusion  tracking  from  two  video  sequences 
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Figure  15:  Residential  burglaries  in  the  city  of  Long  Beach,  2000-2005.  Number  of  repeat  break 
ins  at  the  same  location,  as  a  function  of  time  from  original  break  in 


4.6.4.  Models  for  Crime  Patterns.  We  worked  on  models  for  residential  burglaries.  The  goal  was 
to  show  how  crime  opportunities  and  motivated  offenders  can  lead  to  unevenly  distributed  events. 
Basic  foraging  strategies  are  what  bring  motivated  offenders  together  with  criminal  opportunities. 
Of  particular  interest  in  this  study  was  the  fact  that  repeat  burglaries  at  the  same  location  follow  a 
rapid  temporal  drop  off  (see  Figure  15). 
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We  built  a  mathematical  model  for  these  events  and  have  shown  that  this  leads  to  spatial  crime 
hotspots  in  a  neighborhood. 

4.7.  Applications  of  CPD  and  Spectral  Signal  Processing  Methods  to  Intrusion  Detection  in 
Distributed  Computer  Networks 

One  of  the  important  applications  of  distributed  change-point  detection  methods  developed  in 
Section  4.4  is  intrusion  detection  in  distributed  high-speed  computer  networks.  A  significant  num¬ 
ber  of  serious  cyberattacks  on  a  variety  of  governmental  agencies,  universities,  and  corporations 
have  recently  been  identified  [16].  These  attacks,  including  a  variety  of  buffer  overflows,  worm- 
based,  denial-of-service  (DoS)  and  man-in-the-middle  (MiM)  attacks,  are  designed  to  gain  access 
to  additional  hosts,  steal  sensitive  data,  and  disrupt  network  services.  As  a  result,  rapid  detection 
of  a  wide  spectrum  of  network  intrusions  and  robust  separation  of  legitimate  and  malicious  traffic 
are  vital  for  the  continuation  of  normal  operation  of  networks.  See  Kent  [16]  and  Tartakovsky  et 
all  [27]-[29]  for  a  more  detailed  discussion. 

Typically  network  intrusions  occur  at  unknown  points  in  time  and  lead  to  changes  in  the  sta¬ 
tistical  properties  of  certain  observables.  For  example,  distributed  DoS  (DDoS)  attacks  lead  to 
changes  in  the  mean  value  of  the  number  of  packets  of  a  particular  type  (TCP,  ICMP,  or  UDP)  and 
size,  while  address  resolution  protocol  (ARP)  MiM  attacks  lead  to  changes  in  the  average  number 
of  ARP  requests  [27]-[29].  It  is  therefore  intuitively  appealing  to  formulate  the  problem  of  detect¬ 
ing  attacks  as  a  quickest  change-point  detection  problem:  to  detect  changes  in  statistical  models  as 
rapidly  as  possible  (i.e.,  with  minimal  average  delays)  while  maintaining  the  false  alarm  rate  at  a 
given  low  level. 

4. 7.1.  Nonparametric  Distributed  Change  Detection  Algorithms  for  Detecting  Intrusions.  It  fol¬ 
lows  from  the  results  of  Section  4.4  that  in  the  case  of  complete  information  about  the  pre-change 
and  the  post-change  models,  (asymptotically)  optimal  detection  procedures  in  multisensor  detec¬ 
tion  systems  can  be  constructed  based  on  the  LLR-based  CUSUM  tests.  However,  in  intrusion 
detection  applications,  these  models  are  unknown.  For  this  reason,  in  [27]-[29],  a  nonparametric 
approach  was  proposed  and  thoroughly  tested  for  a  single-sensor  scenario.  This  approach  can  be 
extended  easily  to  the  multisensor  centralized  and  decentralized  scenarios. 

More  specifically,  when  the  pre-change  and  post-change  densities  are  unknown,  the  LLRs 
Zfn)  defined  in  (4)  are  also  unknown  and  should  be  replaced  by  appropriate  score  functions  sfn) 
that  have  negative  mean  values  E^s^n)  <  0  before  the  change  occurs  and  positive  mean  values 
E ksfn)  >  0  after  the  change  occurs. 

While  we  do  not  specify  any  particular  model  in  terms  of  probability  distributions,  some  as¬ 
sumptions  on  the  change  should  be  made.  Indeed,  score  functions  can  be  chosen  in  many  ways, 
and  their  selection  depends  crucially  on  the  type  of  change  that  we  intend  to  detect.  For  example, 
different  score  functions  are  used  to  detect  changes  in  the  mean  and  changes  in  the  variance.  In 
applications  of  interest,  the  detection  problem  can  be  usually  reduced  to  detecting  changes  in  mean 
values. 

Let  ^  =  Eoc  Xfj)  and  0,  =  Ei  Xfj)  denote  the  pre-change  and  post-change  mean  values  in 
the  i-\h  sensor.  Typically,  the  baseline  mean  values  //,  can  be  estimated  quite  accurately  in  advance 
while  the  values  of  9i  are  usually  unknown  and  either  should  be  estimated  on-line  or  replaced  by 
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reasonable  numbers,  e.g.,  by  the  expected  minimal  values.  In  the  rest  of  this  subsection  we  suppose 
for  concreteness  that  0l  >  //, . 

For  i  =  1, . . . ,  N,  introduce  the  following  score  functions  8,  (11)  =  X,  (n)  —  //,  —  q,  where 
in  the  general  case  q  =  q(n )  may  depend  on  past  observations,  which  is  desirable  to  guarantee 
an  adaptive  structure  of  the  detection  procedure.  For  example,  one  may  take  q(n)  =  e9,.n,  where 
£  is  a  tuning  parameter  belonging  to  the  interval  (0, 1)  and  9i>n  =  7,,n(X'')  is  an  estimate  of  the 
unknown  mean  0$.  Choosing  the  latter  estimators  as  well  as  optimizing  the  parameter  e  based  on 
the  training  data  are  not  straightforward  tasks,  as  discussed  in  detail  in  Tartakovsky  et  al  [27].  For 
this  reason,  it  is  convenient  to  set  q(n)  =  q,  where  q  are  positive  constants  that  do  not  depend  on 
n. 

Positiveness  of  q  is  essential  to  guarantee  the  negative  value  of  E.xq(n)  =  — q  under  the 
no-change  hypothesis.  On  the  other  hand,  q  does  not  have  to  be  too  large  in  order  to  guarantee  the 
positive  value  of  =  0,  —  /q  —  q  under  the  alternative  hypothesis.  A  particular  choice  of  q 

is  discussed  in  [27]. 

If  the  above  conditions  hold,  the  score-based  CUSUM  statistic  in  the  7-th  sensor 


W* (n)  =  max  {0,  W?(n  —  1)  +  sfn)} 


remains  close  to  zero  in  normal  conditions  while  when  the  change  occurs  it  starts  rapidly  drifting 
upward  (see  Figure  16  for  a  typical  behavior).  The  combined  from  all  the  sensors,  centralized 
CUSUM  statistic 

f  N 

Ws(n )  =  max  <  0,  Ws(;n  —  1)  +  ^  q(n) 
l  i= 1 

has  a  similar  behavior. 

The  time  of  alarm  in  the  centralized  detection  scheme  is  defined  as  the  first  time  n  when  the 
statistic  Ws(n)  crosses  a  positive  threshold. 

A  binary  quantized  version  of  the  CUSUM  test  can  be  designed  analogously  to  Section  4.4.2. 
See  [27]  for  further  details. 

Finally,  a  nonparametric  LD-CUSUM  test  has  the  form  (11)  where  the  LLR-based  CUSUM 
statistic  Wt  (n)  is  replaced  with  the  score-based  CUSUM  statistic  W?{n)  and  where 


7T;  = 


9  {  /-/,  q 


Eili  (Oi-Vi-Ci) 


For  the  sake  of  simplicity,  we  assume  here  that  the  post-change  mean  values  9i  are  known. 

Note  that  the  above  nonparametric  detection  algorithms  are  no  longer  guaranteed  to  be  optimal. 
Certain  optimization  is  possible  based  on  the  training  data  [27]. 


4.7.2.  Experimental  Results:  Rapid  Detection  of  DDoS  Attacks.  We  now  present  the  results  of 
experimental  study  of  the  distributed  CPD  algorithms  proposed  in  the  previous  section  for  detecting 
intrusions  in  distributed  computer  networks.  Specifically,  we  report  the  results  of  testing  the  NP- 
CUSUM  and  B-CUSUM  procedures’  abilities  to  detect  a  TCP  SYN  flooding  attack  based  on  real 
network  traffic  data  collected  and  made  available  by  the  MIT  Lincoln  Laboratory. 
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The  data  sets  in  the  study  contain  extensive  training  data  that  was  collected  during  several 
sessions  over  a  three-year  period.  We  have  used  the  2000  LLDoS  1 .0  intrusion  scenario  specific 
data  sets  and  a  1999  training  data  set.  The  attack  consisted  of  three  hijacked  servers  sending 
many  TCP  connections  to  a  victim  host.  The  goal  of  the  attack  was  to  prevent  other  hosts  from 
connecting  to  the  server  by  overloading  its  resources  and  those  of  the  network.  The  data  set  was 
manually  split  into  two  portions:  one  before  an  abrupt  change  in  the  traffic  and  one  after.  This  was 
possible  since  the  change  was  clearly  visible.  (We,  however,  cannot  guarantee  that  the  selected 
moment  in  time  really  was  the  moment  of  the  attack.)  In  order  to  better  illustrate  the  properties 
of  the  algorithms,  we  have  made  the  change  in  traffic  less  obvious  and  the  detection  task  more 
difficult.  To  this  end,  we  have  combined  a  training  data  set  with  normal  traffic  with  the  data  set 
containing  the  assumed  attack  traffic  and  have  modified  the  average  number  of  packet  arrivals  per 
second  by  re-scaling  the  times  between  packets  during  the  assumed  attack.  This  technique  can  be 
considered  as  a  simulated  TCP  flooding  attack  observed  in  real  “background”  traffic  and  gives  us 
a  flexibility  in  controlling  attack  intensities.  Resampling  of  the  traffic  was  used  to  estimate  the 
performance  of  the  algorithms. 

We  have  considered  two  scenarios  for  detecting  the  change  in  the  average  number  of  observed 
packets.  The  length  of  the  sampling  period  during  which  the  packets  were  counted  was  0.1  second 
in  both  scenarios.  In  Scenario  1,  the  mean  value  increased  from  12.5  to  21.32  while  the  standard 
deviation  of  the  observed  packets  remained  almost  the  same  before  (17.96)  and  after  the  change 
(17.62).  In  Scenario  2,  we  made  the  detection  task  more  difficult  by  simultaneously  increasing 
the  mean  by  a  smaller  amount  from  12.5  to  16.04  and  decreasing  the  standard  deviation  of  the 
observed  packet  numbers  from  17.96  to  13.54.  Since  the  binary  LR-CUSUM  test  is  sensitive  to 
changes  not  only  in  mean  values  but  in  variance  as  well,  we  expect  that  it  performs  best  in  the 
second  scenario. 


(b)  Scenario  2:  Binary  LR-CUSUM 


Figure  16:  NP-CUSUM  and  B-CUSUM  detection  statistics 


The  plots  in  Figure  16  illustrate  the  typical  behavior  of  the  detection  statistics  for  the  NP- 
CUSUM  and  B-CUSUM  tests  for  Scenario  2.  It  is  seen  that  the  statistics  fluctuate  not  very  far 
from  the  zero  reflection  barrier  for  the  legitimate  traffic,  but  start  rapidly  drifting  upward  after  the 
attack  occurs.  It  is  also  seen  that  the  B-CUSUM  detection  statistic  has  much  less  variability  under 
the  no-attack  hypothesis  as  compared  to  that  of  the  NP-CUSUM,  which  results  in  lower  threshold 
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(a)  Scenario  1  (b)  Scenario  2 

Figure  17:  Operating  characteristics  of  the  NP-CUSUM  and  binary  CUSUM  tests 


values  for  the  same  FAR.  This  is  the  second  reason  why  we  expect  that  the  B -CUSUM  test  is  more 
efficient  in  the  second  scenario  than  the  NP-CUSUM  test. 

The  NP-CUSUM  test  was  first  carefully  optimized.  The  optimal  value  of  e  was  estimated  as 
copi  =  0.15  in  Scenario  1  and  as  £opt  =  0.058815  in  Scenario  2.  The  operating  characteristics  for 
both  scenarios  are  shown  in  Figure  17.  In  Scenario  2,  the  graph  illustrates  the  effect  of  decreasing 
the  variance  of  the  observed  data  after  the  change  of  the  mean.  In  this  situation,  the  thresholds  of 
the  NP-CUSUM  tests  must  be  higher  than  in  the  case  where  the  variance  remains  the  same.  As  we 
just  mentioned,  the  binary  test  is  sensitive  not  only  to  changes  in  mean  values  but  also  to  variance 
changes;  as  a  result,  the  binary  test  performs  significantly  better,  as  predicted  above.  In  Scenario  1, 
the  optimized  NP-CUSUM  test  performs  better,  as  can  be  expected  from  the  preceding  discussion. 

4.7.3.  Spectral  Analysis  Techniques  for  Signature-based  IDS.  The  fundamental  difficulty  in  de¬ 
tecting  the  attacks  we  described  earlier  is  the  inability  of  current,  packet  content-based  IDS’s  to 
gather  enough  information  about  a  packet  stream  to  classify  it  as  an  attack.  Specifically: 

•  Encrypted  attacks  do  not  allow  access  to  application  headers  and  payload  to  perform  sig¬ 
nature  detection.  Therefore,  traditional  content-based  signatures  cannot  be  extracted  and 
distributed  to  other  IDSs. 

•  Low-level  attacks  are  hard  to  detect  because  they  produce  a  very  small  signal  near  the  source, 
which  is  buried  in  normal  traffic.  An  IDS  looking  for  such  attacks  would  have  to  expend 
many  resources  examining  numerous  small  flows,  which  would  significantly  hamper  the 
operation  of  the  IDS. 

•  Attacks  through  proxies  present  a  challenge  because  malicious  and  legitimate  traffic  are 
mixed  in  a  way  that  makes  it  hard  for  the  IDS  to  distinguish  them.  For  example,  attack  traffic 
coming  from  a  Network  Address  Translation  (NAT)  proxy  has  the  same  source  address  as 
legitimate  traffic,  making  it  impossible  to  filter  on  source  address. 

Our  approach  is  to  use  spectral  analysis  techniques  applied  on  packet  arrival  time  series  to 
detect  such  attacks.  Such  techniques  do  not  rely  on  packet  content,  and  are  thus  impervious  to 
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encryption.  Additionally,  low-level  and  proxy  attacks  are  now  transformed  into  low-level  signal 
detection  in  the  aggregate,  enabling  us  to  use  standard  signal  processing  techniques  for  detection. 
Thus,  instead  of  producing  traditional  content-based  signatures,  we  can  produce  more  robust  spec¬ 
tral  signatures,  which  can  be  distributed  to  other  IDSs. 

4.7.4.  Hybrid  Anomaly-Signature  Intrusion  Detection  System.  FAR  of  anomaly-based  detectors 
with  hard  decisions  may  be  improved  by  analyzing  more  detailed  patterns  in  traffic  statistics,  i.e., 
signatures.  Therefore,  combining  spectral  signature  approach  and  corresponding  signal  processing 
techniques  with  anomaly  change  detection  based  techniques  seems  to  be  beneficial.  This  approach 
is  complementary  to  the  anomaly-based  and  signature-based  IDSs  and  allows  for  profiling,  i.e., 
confirmation  or  rejection  of  detection  decisions  at  the  output  of  the  anomaly  detector  using  signa¬ 
ture  analysis.  Combining  these  two  methods  into  a  hybrid  IDS  is  not  a  trivial  task. 

To  be  more  specific,  the  idea  is  to  design  a  hybrid  anomaly-signature  IDS  where  the  anomaly 
detector  is  followed  by  automatic  signature  analysis  tools.  Our  definition  of  signatures  is  different 
from  the  conventional  approach:  flow-based  signatures,  e.g.,  spectral.  See  Section  4.7.3. 

Approach  summary: 

•  Hybrid  algorithms  with  profiling  capability  that  combine  advanced  statistical  anomaly  de¬ 
tection  methods  (such  as  change  detection)  with  flow-based  signature  detection  algorithms 
(such  as  spectral-based  methods). 

•  This  approach  is  complementary  to  the  anomaly-based  and  signature-based  IDSs  and  allows 
for  profiling,  i.e.,  confirmation  or  rejection  of  detection  decisions  at  the  output  of  the  anomaly 
detector  using  signature  analysis. 

•  Allows  for  lowering  FAR,  while  keeping  detection  delays  to  a  minimum. 

•  Allows  for  automatic  signature  generation  and  update. 


5.  POTENTIAL  IMPACTS 

The  research  will  produce  novel  spatial-temporal  nonlinear  estimation,  change  detection,  pat¬ 
tern  recognition,  image  processing,  computer  vision,  and  data  fusion  algorithms  with  improved 
performance  that  will  significantly  impact  the  effectiveness  of  DOD  in  recognizing  spatio-temporal 
patterns  of  activity  in  heterogeneous  volumes  of  data.  The  research  will  produce  much  needed 
models  of  behavior  and  will  take  a  stand  against  the  wrongheaded  idea  that  one  can  infer  goals 
and  track  behaviors  in  a  purely  data-driven  way,  without  rich  models.  The  idea  of  developing  rich 
models  and  embedding  them  in  nonlinear  estimators  and  classifiers,  and  integrating  trajectories 
through  multiple,  compensating  spaces  has  great  potential  for  higher  levels  of  information  fusion, 
i.e.,  to  the  sort  of  activity  conventionally  assigned  to  level  2,  3  and  4  fusion  tasks.  We  believe 
that  our  research  will  result  in  practical  and  scalable  algorithms  for  on-line  tracking  of  plans  and 
intentions,  which  can  serve  as  a  basis  for  an  automatic  real-time  detection  and  warning  system 
for  intelligence  applications.  Such  methodology  has  direct  application  to  information  assurance, 
MASINT  vulnerability  assessment,  video  surveillance  and  defense  against  terrorism. 
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6.  FUTURE  TECHNOLOGY  TRANSFER 

The  research  will  produce  effective  methods  and  algorithms  as  well  as  related  software  products 
of  interest  for  target  tracking  and  intelligence  analysis  communities. 

The  design  of  the  robotics  testbed  has  led  to  the  formation  of  a  new  company,  RoboES,  from 
former  students  at  UCLA,  that  has  recently  submitted  an  SBIR  proposal.  Andrea  Bertozzi  consults 
for  a  defense  contractor  who  is  working  on  a  classified  DARPA  project  involving  video  tracking. 
Published  works  from  this  MURI  project  could  be  useful  for  the  DARPA  project.  Los  Alamos 
National  Laboratory  took  an  interest  in  the  testbed  design  and  jointly  sponsored  a  summer  project, 
described  above,  on  dynamic  visibility  algorithms  with  real  sensors. 


REFERENCES 

[1]  D.  Aberdeen,  “A  (revised)  survey  of  approximate  methods  for  solving  POMDP’s,”  Technical 
Report ,  Dec.  2003,  http://users.rsise.anu.edu.au/  daa/papers.html. 

[2]  M.  Basseville  and  I.V.  Nikiforov,  Detection  of  Abrupt  Changes:  Theory  and  Applications. 
Prentice  Hall,  Englewood  Cliffs,  1993. 

[3]  D.  Bertsekas,  Dynamic  Programming.  Prentice-Hall,  Upper  Saddle  River,  NJ,  1987. 

[4]  J.  von  Brecht,  S.R.  Thiruvenkadam,  and  T.  Chan,  “Occlusion  tracking  with  logical  models,” 
preprint,  2007. 

[5]  H.H.  Bui,  S.  Venkatesh,  and  G.  West,  “Policy  recognition  in  the  abstract  hidden  Markov 
model,”  Journal  of  Artificial  Intelligence  Research ,  vol.  17,  pp.  451-499,  2002. 

[6]  T.  Chan  and  L.  Vese,  “Active  contours  without  edges,”  IEEE  Trans.  Image  Proc.,  vol.  10,  no. 
2,  p.266,  2001. 

[7]  Y.-L.  Chuang,  Y.R.  Huang,  M.R.  D’Orsogna,  and  A.L.  Bertozzi,  “Multi-vehicle  flocking: 
scalability  of  cooperative  control  algorithms  using  pairwise  potentials,”  The  2007  IEEE  In¬ 
ternational  Conference  on  Robotics  and  Automation ,  2007  (accepted). 

[8]  PR.  Cohen  and  C.T.  Morrison,  “The  Hats  Simulator,”  Proceedings  of  the  2004  Winter  Simu¬ 
lation  Conference,  pp.  849-856,  2004. 

[9]  J.  Cvitanic,  R.  Liptser,  and  B.  Rozovskii,  “A  filtering  approach  to  tracking  volatility  from 
prices  observed  at  random  times,”  Annals  of  Applied  Probability,  vol.  16,  no.  3,  pp.  1633- 
1652,  2006. 

[10]  J.  Cvitanic,  B.  Rozovskii,  and  I.  Zalyapin,  “Numerical  estimation  of  volatility  values  from 
discretely  observed  diffusion  data,”  J.  Numerical  Fin.,  2007  (accepted). 

[11]  J.  Luemmeler  and  V.V.  Veeravalli,  “Smart  sleeping  policies  for  energy  efficient  tracking  in 
sensor  networks,”  Submitted  to  the  IEEE  Transactions  on  Signed  Processing,  October  2006. 

[12]  J.  Luemmeler  and  V.V.  Veeravalli,  “Smart  sleeping  strategies  for  localization  and  tracking  in 
sensor  networks,”  In:  Proc.  40th  Asilomar  Conference  on  Signcds,  Systems,  and  Computers, 
Monterey,  CA,  November  2006. 

[13]  W.  Gilks,  S.  Richardson,  and  D.J.  Spiegelhalter,  Markov  chain  Monte  Carlo  in  Practice. 
Chapman  and  Hall,  1996. 


46 


Phase  1  Final  Progress  Report  ARO  MURI  Grant  #  W91  INF-06- 1-0094:  Spatio-Temporal  Nonlinear  Filtering  With  Applications  to  Information  Assurance  and  Counter  Terrorism 


[14]  A.  Harten,  B.  Engquist,  S.  Osher,  S.R.  Chakravarthy,  “Uniformly  high  order  accurate  essen¬ 
tially  nonoscillatory  schemes,  III,”  Journal  of  Computational  Physics ,  vol.  71,  pp.  231-303, 
1987. 

[15]  C.H.  Hsieh,  Y.  Chuang,  Y.  Huang,  K.K.  Leung,  A.L.  Bertozzi,  and  E.  Frazzoli,  “An  Eco¬ 
nomical  micro-car  testbed  for  validation  of  cooperative  control  strategies,”  Proc.  of  the  2006 
American  Control  Conference,  Minneapolis ,  MN,  June  14-16  2006,  pp.  1446-1451. 

[16]  S.  Kent,  “On  the  trial  of  intrusions  into  information  systems,”  IEEE  Spectrum,  vol.  37,  Issue 
12,  pp.  52-56,  December  2000. 

[17]  Y.  Landa,  R.  Tsai,  and  L.-T.  Cheng,  “Visibility  of  point  clouds  and  mapping  of  unknown 
environments,”  A  d  va  n  c  ed  Concepts  for  Intelligent  Vision  Systems,  ACIVS  2006,  Sept  18-21, 
2006,  University  of  Antwerp,  Belgium  (preprint  available  as  UCLA  CAM  report  06-16). 

[18]  Y.  Landa,  D.  Galkowski,  Y.R.  Huang,  A.  Joshi,  C.  Lee,  K.K.  Leung,  G.  Malla,  J.  Treanor, 
V.  Voroninski,  A.L.  Bertozzi,  and  R.  Tsai,  “Robotic  path  planning  and  visibility  with  limited 
sensor  data,”  The  2007  American  Control  Conference,  2007  (to  appear). 

[19]  K.K.  Leung,  C.H.  Hsieh,  Y.R.  Huang,  A.  Joshi,  V.  Voroninski,  and  A.L.  Bertozzi,  “A  second 
generation  micro-vehicle  testbed  for  cooperative  control  and  sensing  strategies,”  The  2007 
American  Control  Conference,  2007  (to  appear). 

[20]  M.  Moelich  and  T.  Chan,  “Joint  segmentation  and  registration  using  logic  models,”  J.  Vis. 
Commun.  Image  R.,v ol.  15,  pp.  333358,  2005. 

[21]  D.  Reid,  “An  algorithm  for  tracking  multiple  targets,”  IEEE  Trans.  Automat.  Contr.,  vol.  24, 
no.  6,  pp.  84-90,  1979. 

[22]  S.  Saria  and  S.  Mahadevan,  “Probabilistic  plan  recognition  in  multiagent  systems,”  Proceed¬ 
ings  of  ICAPS-04,  2004. 

[23]  D.  Siegmund,  Sequential  Analysis:  Tests  and  Confidence  Intervals.  Springer- Verlag,  New 
York,  1985. 

[24]  A.G.  Tartakovsky,  Sequential  Methods  in  the  Theory  of  Information  Systems.  Radio  and  Com¬ 
munications,  Moscow,  1991. 

[25]  A.G.  Tartakovsky,  “Asymptotic  performance  of  a  multichart  CUSUM  test  under  false  alarm 
probability  constraint,”  Proc.  44th  IEEE  Conference  on  Decision  and  Control  and  the  Eu¬ 
ropean  Control  Conference  (CDC-ECC’05),  December  12-15,  2005,  pp.  320-325,  Seville, 
Spain,  Omnipress  CD-ROM,  ISBN  0-7803-9568-9. 

[26]  A.G.  Tartakovsky  and  H.  Kim,  “Performance  of  certain  decentralized  distributed  change  de¬ 
tection  procedures,”  Proc.  9th  International  Conference  on  Information  Fusion,  Florence, 
Italy,  10-13  July  2006,  CD  ISBN  0-9721844-6-5,  IEEE  Catalog  No.  06EX1311C. 

[27]  A.G.  Tartakovsky,  B.L.  Rozovskii,  R.B.  Blazek,  and  H.  Kim,  “Detection  of  intrusions 
in  information  systems  by  sequential  change-point  methods  (with  discussion),”  Statistical 
Methodology,  vol.  3,  no.  3,  pp.  252-340,  2006. 

[28]  A.G.  Tartakovsky,  B.L.  Rozovskii,  R.B.  Blazek,  and  H.  Kim  ,  “A  novel  approach  to  detection 
of  intrusions  in  computer  networks  via  adaptive  sequential  and  batch-sequential  change-point 
detection  methods,”  IEEE  Transactions  on  Signed  Processing,  vol.  54,  no.  9,  pp.  3372-3382, 
2006. 


47 


Phase  1  Final  Progress  Report  ARO  MURI  Grant  #  W91  INF-06- 1-0094:  Spatio-Temporal  Nonlinear  Filtering  With  Applications  to  Information  Assurance  and  Counter  Terrorism 


[29]  A.G.  Tartakovsky,  B.L.  Rozovskii,  and  K.  Shah,  “A  nonparametric  multichart  CUSUM  test 
for  rapid  intrusion  detection,”  JSM  Proceedings  ( CD  Rom),  Minneapolis,  MN,  2005. 

[30]  A.G.  Tartakovsky  and  V.  Veeravalli,  “Change-point  detection  in  multichannel  and  distributed 
systems  with  applications,”  In:  Applications  of  Sequential  Methodologies  (N.  Mukhopad- 
hyay,  S.  Datta  and  S.  Chattopadhyay,  eds.),  Marcel  Dekker,  Inc.,  New  York,  pp.  339-370, 
2004. 

[31]  A.  Tartakovsky  and  V.  Veeravalli,  “An  efficient  sequential  procedure  for  detecting  changes  in 
multichannel  and  distributed  systems,”  Proceedings  of  the  5th  International  Conference  on 
Information  Fusion,  Annapolis,  MD,  8-11  July  2002,  vol.  1,  pp.  41-48. 

[32]  A.  Tartakovsky  and  V.  Veeravalli,  “Quickest  Change  Detection  in  Distributed  Sensor  Sys¬ 
tems,”  Proceedings  of  the  6th  International  Conference  on  Information  Fusion,  Australia, 
8-11  July  2003. 


48 


